Snort mailing list archives
FW: uricontent vs. content
From: "larosa, vjay" <larosa_vjay () emc com>
Date: Wed, 30 Oct 2002 15:20:18 -0500
Hello, Anybody have any ideas on this post I made last night? Thanks! vjl
-----Original Message----- From: larosa, vjay Sent: Tuesday, October 29, 2002 8:29 PM To: 'snort-users () lists sourceforge net' Subject: uricontent vs. content Hello, I am working on an issue I am having with snort 1.9.0 build 209. I have two rules, alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida?X attempt"; uriconte nt:".ida?X"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:web-applicatio n-attack; reference:cve,CAN-2000-0071; sid:1243; rev:1;) and alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida?X attempt"; conte nt:".ida?X"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:web-applicatio n-attack; reference:cve,CAN-2000-0071; sid:1243; rev:1;) The only difference between the two is the first rule uses the uricontent keyword, and the second uses the plain old content option. The first rule doesn't work, the second does. If the packet requesting the URL is: get /default.ida?XXXXXXXXXXXXXXXX Shouldn't both of these rules work, (with the first one being more accurate)? Or am I interpreting the uricontent keyword incorrectly? Thanks! vjl V.Jay LaRosa EMC Corporation Information Security 171 South Street (508)249-3355 office Hopkinton, MA 01748 (508)498-5575 cell www.emc.com (888-799-9750 pager larosa_vjay () emc com (508)497-8082 fax
------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- uricontent vs. content larosa, vjay (Oct 29)
- Re: uricontent vs. content Andreas Östling (Oct 31)
- <Possible follow-ups>
- FW: uricontent vs. content larosa, vjay (Oct 30)
- Re: FW: uricontent vs. content Chris Green (Oct 30)
- RE: FW: uricontent vs. content larosa, vjay (Oct 30)
- RE: uricontent vs. content larosa, vjay (Oct 31)
- RE: uricontent vs. content larosa, vjay (Oct 31)
- Re: uricontent vs. content Chris Green (Oct 31)