[snort-users] uricontent

[pierz <pierz () indahax com>]

Ok you probably didn't understood my crappy english.

The input/parameter/whatever of name 'check' with the value 'pierz' is
not a part of the uri. This packet doesn't have to alert.

Another example, look at this two rulz :

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:".php in
uri"; flow:established,to_server; uricontent:".php"; nocase; sid:123; )

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:".php and
http in uri"; flow:established,to_server; uricontent:".php"; nocase;
uricontent:"http"; nocase; sid:456; )

Now, look at the following packets, they are only detected by the 1st rulz :

[PACKET1]
POST / HTTP/1.1
Host: 192.168.1.2
Content-type: application/x-www-form-urlencoded

postinput=.php
[/PACKET1]
[PACKET2]
GET /somefile.php HTTP/1.1
Host: 192.168.1.2
[/PACKET2]
[PACKET3]
POST /somefile.php HTTP/1.1
Host: 192.168.1.2
Content-type: application/x-www-form-urlencoded

backdoor=http
[/PACKET3]

Ok, i think PACKET1 should not be detected regarding the snort rulz,
cause postinput=.php is not a part of the uri.

Now if the PACKET1 match the first rulz, i don't understand why PACKET3
don't match the second rulz !

I'm using the lastest version of snort.











-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users