Snort mailing list archives
Re: Why content and not uricontent?
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 21 Apr 2005 13:05:28 -0400
Holger Mense wrote:
Hi, thank you for your answer. I thought about it, however, I didn't get it ;) * Brian <bmc () snort org>:On Tue, Apr 12, 2005 at 11:43:59PM +0200, Holger Mense wrote:Now I am curios. Can someone explain me, if there are any reasons for using content over uricontent?phf can be exploited via POST as well as GET. http inspect doesn't provide a normalized parameter detection method,I don't understand this. Using uricontent="QALIAS" worked for me, even when the string "qalias" used hex encoding. And this part of the URL already belongs to the parameter.
I think Brian's point is that uricontent doesn't match the parameters to a HTTP POST command, only the URI itself. I assume in your testing you were using a GET, not a POST with an exploiting parameter. Since in the POST method, the parameter isn't a part of the URI, the attack string won't be seen by uricontent rules if the attacker uses this method. Thus, while using uricontent closes the hole of encoded requests, it opens the hole of someone using the POST command for the exploit. On the other hand, content fails to handle encodings, but it does match both POST and GET requests. I'd suspect you really want both rules, one to deal with encoded GET requests, the other to deal with exploits via the POST command. Or, better yet, a http_inspect hack to allow a "uricontent" equivalent for POST parameters. (you would want to create a new keyword for this.. ) and use two rules, one with uricontent, the other with "postparametercontent" or whatever. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Why content and not uricontent? Holger Mense (Apr 12)
- Re: Why content and not uricontent? Brian (Apr 13)
- Re: Why content and not uricontent? Holger Mense (Apr 21)
- Re: Why content and not uricontent? Matt Kettler (Apr 21)
- Re: Why content and not uricontent? Holger Mense (Apr 21)
- Re: Why content and not uricontent? Holger Mense (Apr 21)
- Re: Why content and not uricontent? Brian (Apr 13)