uricontent

[pierz <pierz () indahax com>]

There is some things I don't understand about the uricontent.

The rulz :

alert tcp any any -> any any (msg:"hey"; uricontent:"pierz";
sid:"111111111111"; )

trigger an alert when I use a POST data :

POST / HTTP/1.1
Host: 192.168.1.2
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.11)
Gecko/20071127 Firefox/2.0.0.11 XPCOMViewer/1.0a1
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: fr,en-us;q=0.8,fr-fr;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://192.168.1.2/
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

check=pierz


Or in the manual it s specified that uricontent only look in the uri
field. What does uri field means ?
For me it s the uri with GET paramater not POST parameter.

Does I miss something in the http_inspector ?

-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users