Re: false alarm? do I have preprocessor right?

[Matt Kettler <mkettler () evi-inc com>]

Uricontent will only search the URI part of the data for your string, but 
it is otherwise the same as a "content" rule and will still do a sub-string 
type match within the URI.

The behavior of snort matching the example packet is "as specified" and 
what you've asked to match is "any packet containing /finger anywhere 
within a URI."

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.30

AFAIK There's no "exact match" features for string searches anywhere within 
snort... only sub-string searches.

At 12:18 PM 11/27/2002 -0500, you wrote:
> I appear to be getting a false alarm on [snort/839]  WEB-CGI finger access
> Snort 1.9 FREEBSD 4.7-STABLE
>
> rules says:
> uricontent:"/finger";
> http://www.snort.org/snort-db/sid.html?sid=839
>
> payload has this in it:
> GET /f/1040/759/1h/pic.infospace.com/info.xcite/pics/fingersm.gif
> 'http://63.240.15.147/f/1040/759/1h/pic.infospace.com/info.xcite/pics/fingersm.gif'
>
> Shouldn't /uricontent / finger, basically look for this only?
>
> GET /finger
> Not anything with a leading /finger?
>
> snort.conf:
> preprocessor frag2
>
> preprocessor stream4: noinspect, disable_evasion_alerts, ttl_limit 0
>
> preprocessor stream4_reassemble: noalerts
>
> preprocessor http_decode: 80 unicode iis_alt_unicode double_encode \
> iis_flip_slash full_whitespace



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users