RE: FW: uricontent vs. content

["larosa, vjay" <larosa_vjay () emc com>]

Hi Chris,

I tested this and all of the data was in one packet. 
I will try testing this tomorrow AM with
no dsize option with and with out the uricontent
to see what happens. Thanks!

vjl

-----Original Message-----
From: Chris Green [mailto:cmg () snort org]
Sent: Wednesday, October 30, 2002 5:49 PM
To: larosa, vjay
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] FW: uricontent vs. content


"larosa, vjay" <larosa_vjay () emc com> writes:

> From: "larosa, vjay" <larosa_vjay () emc com>
> Subject: [Snort-users] FW: uricontent vs. content
> To: "'snort-users () lists sourceforge net'"
<snort-users () lists sourceforge net>
> Date: Wed, 30 Oct 2002 15:20:18 -0500
>
> Hello,
>
> Anybody have any ideas on this post I made last night? Thanks!

I'm betting its because
GET
/default ida?XXXXX  is pushed through as 2 packets instead
and that the dsize check is not true for stream packets.

I'm having Brian remove that and I'll go and make sure that
distance/within works correctly before 1.9.1...
-- 
Chris Green <cmg () sourcefire com>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod


-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users