Re: Not uricontent

["lists () packetmail net" <lists () packetmail net>]

On 02/23/12 15:40, Andrew Torres wrote:
> Can and advise on a method to write a rule that says all content except
> uricontent. An example of this would be looking for a string in the body of
> the text but not in the uri.
> Please Advise. Thanks

Hi Andrew, so when you use the content:"" keyword unconstrained to a buffer you
end up with a situation like you've described.  There are two ways to approach this:

1) You could use some of the http_* content modifiers like http_header,
http_client_body, http_cookie, etc.

2) Could you use use a plain content match coupled with a negated content match
against http_uri.  Consider the below:

#Match 'foo' but not if 'foo' is in the URI
content:"foo"; content:!"foo"; http_uri;

Thanks,
Nathan

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!