Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: uricontent option in 1.9 vs 1.8.6

From: Erek Adams <erek () snort org>
Date: Wed, 26 Feb 2003 09:25:06 -0500 (EST)
On Tue, 25 Feb 2003, Joe McAlerney wrote:


I believe this is a result of Snort 1.8 improperly searching for
uricontent, generating a false positive.  1.9 fixes this by searching
for the content string within the bounds of the URI [1].  In this case,
the payload doesn't contain a scheme (HTTP), or "://" for HTTP.  The
same is true if the content was located in the referrer part of a HTTP
request.


Yes, and from the fact that 1.9.x is now using flow: as a keyword.  That
_really_ cuts down on the false postives as it acutally checks for the
flow of the data to or from the server.  It can also understand what an
established connection is.  Those things combined with the uricontent info
that Joe mentioned make for a whole lot less false positives.

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: