[Bro] bro signature http-request double encoded cause FN ?

rmkml rmkml at yahoo.fr
Thu Aug 16 15:42:42 PDT 2012

ok it's long time I don't worked on bro signature "language",
but Im back today and Im start few tests:

0) web test without encoding : /abc
OK, detected by  http-request /.*\/abc.*/

1) http utf8 simple encoded like /ab%63
OK, detected by  http-request /.*\/abc.*/

2) http utf8 double encoded like /ab%2563
NOT detected by  http-request /.*\/abc.*/

Anyone confirm this ?
Maybe need switch a variable, where ?



More information about the Bro mailing list