Re: uricontent and pcre

["Keith W. McCammon" <keith-list () mccammon org>]

> Two options for the pay-load for Snort options are:
> uricontent and pcre.
> Can someone explain these in laymans terms. 
> uricontent talks about NORMALIZING and directory

Uricontent is used to specify content in a URI.  For example, if someone 
sends a GET request for /news/articles/privatepage.asp, you'd use a 
uricontent match to search for part of that string.

Normalization means that the http preprocessor will decode any special 
characters or encoding used to send that string.

> traversals..I have no idea of what this is.   

A request including "../" would be an example of a traversal.

> And I
> refered to the pcre site for more information on this,
> but it just hasn't clicked yet.

PCRE is used to find matches based on regular expressions, which is much 
more efficient if you're looking for a match on content that may include 
any number of variable components.

It sounds as though you don't have much experience with pattern 
matching, HTTP (the protocol), etc.  If you're in the business of toying 
around with ID technology, I would recommend that you get very familiar 
with the underlying technologies that you're trying to define, detect. 
etc.  Otherwise, you're going to be fighting an uphill battle...


-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users