Snort mailing list archives

FW: uricontent vs. content

From: "larosa, vjay" <larosa_vjay () emc com>
Date: Wed, 30 Oct 2002 15:20:18 -0500

Hello,

Anybody have any ideas on this post I made last night? Thanks!

vjl

 -----Original Message-----
From:         larosa, vjay  
Sent: Tuesday, October 29, 2002 8:29 PM
To:   'snort-users () lists sourceforge net'
Subject:      uricontent vs. content

Hello,

I am working on an issue I am having with snort 1.9.0 build 209. I have
two rules,

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida?X
attempt"; uriconte
nt:".ida?X"; nocase; dsize:>239; flags:A+; reference:arachnids,552;
classtype:web-applicatio
n-attack; reference:cve,CAN-2000-0071; sid:1243; rev:1;)

and

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida?X
attempt"; conte
nt:".ida?X"; nocase; dsize:>239; flags:A+; reference:arachnids,552;
classtype:web-applicatio
n-attack; reference:cve,CAN-2000-0071; sid:1243; rev:1;)

The only difference between the two is the first rule uses the uricontent
keyword, and the second uses the
plain old content option. The first rule doesn't work, the second does. 

If the packet requesting the URL is:

get /default.ida?XXXXXXXXXXXXXXXX

Shouldn't both of these rules work, (with the first one being more
accurate)? Or am I interpreting the uricontent
keyword incorrectly?

Thanks!

vjl


V.Jay LaRosa                           EMC Corporation
Information Security                  171 South Street
(508)249-3355 office                  Hopkinton, MA 01748
(508)498-5575 cell                     www.emc.com
(888-799-9750 pager                  larosa_vjay () emc com
(508)497-8082 fax



-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

uricontent vs. content larosa, vjay (Oct 29)
- Re: uricontent vs. content Andreas Östling (Oct 31)
- <Possible follow-ups>
- FW: uricontent vs. content larosa, vjay (Oct 30)
  - Re: FW: uricontent vs. content Chris Green (Oct 30)
- RE: FW: uricontent vs. content larosa, vjay (Oct 30)
- RE: uricontent vs. content larosa, vjay (Oct 31)
- RE: uricontent vs. content larosa, vjay (Oct 31)
  - Re: uricontent vs. content Chris Green (Oct 31)