Snort mailing list archives
RE: uricontent option in 1.9 vs 1.8.6
From: Erek Adams <erek () snort org>
Date: Wed, 26 Feb 2003 09:49:54 -0500 (EST)
On Wed, 26 Feb 2003, David Gordon wrote:
Thanks. I guess I don't understand why this would be a false positive.
It's ok, just go get another cup of coffee. It may not help, but it's a good excuse for that 2:30pm after lunch crankiness when bothered by that Luser from department X. ;-)
The Arachnids description states the following:URI Content: ".ida?" The packet offset is zero, meaning that we start looking for this content string in the start of the packet data. This is a case sensitive search.In my case, ".ida?" does in fact show up in the packet data. Perhaps I don't understand the difference between content and uricontent. I thought that "content" would be anything in the payload of any TCP packet and that "uricontent" would be the result of the http_decode preprocessor reassembling (and de-obfuscating) packets to port 80 (or whatever ports are defined as being used for http).
Yes, content is anywhere in the packet. Uricontent is content only in the URI. If you have a wade through--God, I _hate_ reading those damned things--the RFC that Joe linked to, you'll find a paragraph: A URI can be further classified as a locator, a name, or both. The term "Uniform Resource Locator" (URL) refers to the subset of URI that identify resources via a representation of their primary access mechanism (e.g., their network "location"), rather than identifying the resource by name or by some other attribute(s) of that resource. The term "Uniform Resource Name" (URN) refers to the subset of URI that are required to remain globally unique and persistent even when the resource ceases to exist or becomes unavailable. In human speak, that comes out as "It's a standard for having a uniform identifier for resources, which also designates what the protocol is to get to the resource." (Or that's how I read it... :) So uricontent only looks at the 'http://www.foo.com/foofus/bunny/rabbit.html' and nothing else in the packet. Oh, and as usual, if I'm wrong, will someone beat me about the head with a clue stick?
Wouldn't the content of this packet also be uricontent?
Not quite... The content of the _entire_ packet, even the packet headers. So if you were searching for a sequence number you would use content. If you are looking for something in the URI, then uri content. If you are looking for binary data that would be after the URI or there is no URI, then use content. If you have it, could you post (or private email) a full packet dump of the packet that's triggering/not triggering the alert? Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 25)
- Re: uricontent option in 1.9 vs 1.8.6 Joe McAlerney (Feb 25)
- Advice from the experts Mike Koponick (Feb 25)
- Re: Advice from the experts twig les (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
- Advice from the experts Mike Koponick (Feb 25)
- <Possible follow-ups>
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
- uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Joe McAlerney (Feb 25)