Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] what s the real difference here?

From: Joel Esler <jesler () sourcefire com>
Date: Tue, 13 Jul 2010 19:56:01 -0400
On Jul 13, 2010, at 7:54 PM, evilghost () packetmail net wrote:


Joel Esler wrote:

On Jul 13, 2010, at 6:58 PM, waldo kitty wrote:

On 7/13/2010 18:40, Joel Esler wrote:

CC'ing Snort-Sigs list:

Copy and paste out of the manual for http_uri:

"Using a content rule option followed by a http uri modifier is the same as using a uricontent by itself."

that's what i thought... so... if i may be so bold... why the change in format? 
which is better? is one preferred over the other? which one?


Not sure of the reasoning behind it.  Maybe a Devel or VRT can chime in on that one.


Riddle me this.  If I constrain a content match to the URI buffer (ala http_uri;) can I now use content modifiers 
which do not work with a uricontent match?  Some of these being
depth, distance, isdataat, etc?


I'd like the Snort team to comment on this one, as I don't want to give you a wrong answer, but since it's reading a 
normalized field, my knee jerk reaction is to say "no."



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: