RE: uricontent option in 1.9 vs 1.8.6

[Erek Adams <erek () snort org>]

On Wed, 26 Feb 2003, David Gordon wrote:

> Thanks. I guess I don't understand why this would be a false positive.

It's ok, just go get another cup of coffee.  It may not help, but it's a
good excuse for that 2:30pm after lunch crankiness when bothered by that
Luser from department X.  ;-)

> The Arachnids description states the following:
>
> > URI Content: ".ida?"
> > The packet offset is zero, meaning that we start looking
> > for this content string in the start of the packet data.
> > This is a case sensitive search.
>
> In my case, ".ida?" does in fact show up in the packet data.
>
> Perhaps I don't understand the difference between content and uricontent. I
> thought that "content" would be anything in the payload of any TCP packet
> and that "uricontent" would be the result of the http_decode preprocessor
> reassembling (and de-obfuscating) packets to port 80 (or whatever ports are
> defined as being used for http).

Yes, content is anywhere in the packet.

Uricontent is content only in the URI.  If you have a wade through--God, I
_hate_ reading those damned things--the RFC that Joe linked to, you'll
find a paragraph:

   A URI can be further classified as a locator, a name, or both.  The
   term "Uniform Resource Locator" (URL) refers to the subset of URI
   that identify resources via a representation of their primary access
   mechanism (e.g., their network "location"), rather than identifying
   the resource by name or by some other attribute(s) of that resource.
   The term "Uniform Resource Name" (URN) refers to the subset of URI
   that are required to remain globally unique and persistent even when
   the resource ceases to exist or becomes unavailable.

In human speak, that comes out as "It's a standard for having a uniform
identifier for resources, which also designates what the protocol is to
get to the resource."  (Or that's how I read it...  :)

So uricontent only looks at the
'http://www.foo.com/foofus/bunny/rabbit.html' and nothing else in the
packet.

Oh, and as usual, if I'm wrong, will someone beat me about the head with a
clue stick?

> Wouldn't the content of this packet also be uricontent?

Not quite...  The content of the _entire_ packet, even the packet headers.
So if you were searching for a sequence number you would use content.  If
you are looking for something in the URI, then uri content.  If you are
looking for binary data that would be after the URI or there is no URI,
then use content.

If you have it, could you post (or private email) a full packet dump of
the packet that's triggering/not triggering the alert?

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users