Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: uricontent....

From: Brian <bmc () snort org>
Date: Wed, 18 May 2005 11:12:50 -0400
On Wed, May 18, 2005 at 09:33:46AM -0400, Jeff Heckart wrote:

I am slightly unclear on the documentation for uricontent....
 
Can the same descriptors be used for uricontent as for content?
 
(nocase,rawbytes,depth,offset,distance,within)


IIRC, All except rawbytes will work.  However, it might not work as
you might expect.

Lets suppose the following rule:
    uricontent:"foo"; depth:3; uricontent:"bar"; depth:3;

When dealing with content, this rule would never fire.  It is not
possible to have two different strings in the same location.  However,
httpinspect marks all of the possible URIs in a packet.  During
detection, the URI matching is attempted on all of the URIs.

However, the above rule will match on a request such as this:

        GET foo HTTP/1.1
        Host: server
        Connection: Keep-Alive
        
        GET bar HTTP/1.1
        Host: server
        Connect: close

Things get more interesting when you get into relativity.  If you keep
these oddities in mind, you should be ok.

Brian


-------------------------------------------------------
This SF.Net email is sponsored by Oracle Space Sweepstakes
Want to be the first software developer in space?
Enter now for the Oracle Space Sweepstakes!
http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: