Snort mailing list archives

Re: [Emerging-Sigs] what s the real difference here?

From: Matt Watchinski <mwatchinski () sourcefire com>
Date: Wed, 14 Jul 2010 13:33:27 -0400

content:"foo"; http_uri; is preferred.  Other than consistency with
the other content modifiers http_client_body, filedata, etc its easier
to parse one thing and not two.

Cheers,
-matt

On Wed, Jul 14, 2010 at 1:10 PM, Joel Esler <jesler () sourcefire com> wrote:

On Jul 14, 2010, at 12:22 PM, waldo kitty wrote:


On 7/13/2010 19:10, Joel Esler wrote:

On Jul 13, 2010, at 6:58 PM, waldo kitty wrote:


On 7/13/2010 18:40, Joel Esler wrote:

CC'ing Snort-Sigs list:

Copy and paste out of the manual for http_uri:

"Using a content rule option followed by a http uri modifier is the same as using a uricontent by itself."


that's what i thought... so... if i may be so bold... why the change in format?
which is better? is one preferred over the other? which one?


Not sure of the reasoning behind it.  Maybe a Devel or VRT can chime in on that one.


a huge number of "modified active" signatures had only the change i'm asking
about in them... switching from "uricontent:blah;" to "content:blah; http_uri;"
and nothing else...

and so my curiosity was highly aroused and here we are ;)


I noticed that as well when I was looking at the botnet-cnc and what not (new rule categories) rules.
------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-- 
Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Re: [Emerging-Sigs] what's the real difference here? Joel Esler (Jul 13)
- Message not available
  - Re: [Emerging-Sigs] what s the real difference here? Joel Esler (Jul 13)
    - Re: [Emerging-Sigs] what s the real difference here? waldo kitty (Jul 14)
    - Re: [Emerging-Sigs] what s the real difference here? Joel Esler (Jul 14)
    - Re: [Emerging-Sigs] what s the real difference here? Matt Watchinski (Jul 14)