Snort mailing list archives
Re: Why content and not uricontent?
From: Holger Mense <holger () project2501 de>
Date: Thu, 21 Apr 2005 18:07:58 +0200
Hi, thank you for your answer. I thought about it, however, I didn't get it ;) * Brian <bmc () snort org>:
On Tue, Apr 12, 2005 at 11:43:59PM +0200, Holger Mense wrote:Now I am curios. Can someone explain me, if there are any reasons for using content over uricontent?phf can be exploited via POST as well as GET. http inspect doesn't provide a normalized parameter detection method,
I don't understand this. Using uricontent="QALIAS" worked for me, even when the string "qalias" used hex encoding. And this part of the URL already belongs to the parameter.
so we use content to catch both GET and POST attacks.
Which does not catch the different encodings. Thanks for your help, Holger Mense -- Holger Mense
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Why content and not uricontent? Holger Mense (Apr 12)
- Re: Why content and not uricontent? Brian (Apr 13)
- Re: Why content and not uricontent? Holger Mense (Apr 21)
- Re: Why content and not uricontent? Matt Kettler (Apr 21)
- Re: Why content and not uricontent? Holger Mense (Apr 21)
- Re: Why content and not uricontent? Holger Mense (Apr 21)
- Re: Why content and not uricontent? Brian (Apr 13)