Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: uricontent option in 1.9 vs 1.8.6

From: Brian <bmc () snort org>
Date: Wed, 26 Feb 2003 10:00:55 -0500
Can someone please explain to me why the rule for sid 1242 acts differently
in snort 1.8.6 vs. snort 1.9?


<snip>


The following packet generates an alert when running Snort 1.8.6, but not
Snort 1.9

02/16-02:18:38.582833 217.234.56.78:3306 -> 123.456.78.90:80
TCP TTL:112 TOS:0x0 ID:43759 IpLen:20 DgmLen:1492 DF
***AP*** Seq: 0xAEAD8723  Ack: 0xB2DB3D32  Win: 0x4410  TcpLen: 20
/default.ida?N


Because that isn't a valid URI.

The content "GET /default.ida?N" is valid.  HTTP specifies requests
should have a method, then a URI, and then a version, then extra
headers.  The version and extra headers are optional.  The method and
URI are not.

Try this and see if triggers on your installation of snort 1.9:

   echo "GET /default.ida?N HTTP/1.0" | nc your.server.here 80

-brian


-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: