uricontent vs. content

["larosa, vjay" <larosa_vjay () emc com>]

Hello,

I am working on an issue I am having with snort 1.9.0 build 209. I have two
rules,

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida?X
attempt"; uriconte
nt:".ida?X"; nocase; dsize:>239; flags:A+; reference:arachnids,552;
classtype:web-applicatio
n-attack; reference:cve,CAN-2000-0071; sid:1243; rev:1;)

and

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida?X
attempt"; conte
nt:".ida?X"; nocase; dsize:>239; flags:A+; reference:arachnids,552;
classtype:web-applicatio
n-attack; reference:cve,CAN-2000-0071; sid:1243; rev:1;)

The only difference between the two is the first rule uses the uricontent
keyword, and the second uses the
plain old content option. The first rule doesn't work, the second does. 

If the packet requesting the URL is:

get /default.ida?XXXXXXXXXXXXXXXX

Shouldn't both of these rules work, (with the first one being more
accurate)? Or am I interpreting the uricontent
keyword incorrectly?

Thanks!

vjl


V.Jay LaRosa                           EMC Corporation
Information Security                  171 South Street
(508)249-3355 office                  Hopkinton, MA 01748
(508)498-5575 cell                     www.emc.com
(888-799-9750 pager                  larosa_vjay () emc com
(508)497-8082 fax



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users