Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: uricontent option in 1.9 vs 1.8.6

From: Brian <bmc () snort org>
Date: Wed, 26 Feb 2003 15:05:06 -0500
On Wed, Feb 26, 2003 at 09:18:37AM -0500, David Gordon wrote:

Thanks. I guess I don't understand why this would be a false positive.

The Arachnids description states the following:


URI Content: ".ida?"
The packet offset is zero, meaning that we start looking
for this content string in the start of the packet data. 
This is a case sensitive search.


The Arachnids rule can be evaded by changing the case of the ida extension.
The description of the content check is not valid.  See my previous email as 
to how content and uricontent are different.

-brian


-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: