Snort mailing list archives
Re: uricontent option in 1.9 vs 1.8.6
From: Brian <bmc () snort org>
Date: Wed, 26 Feb 2003 10:00:55 -0500
Can someone please explain to me why the rule for sid 1242 acts differently in snort 1.8.6 vs. snort 1.9?
<snip>
The following packet generates an alert when running Snort 1.8.6, but not Snort 1.9 02/16-02:18:38.582833 217.234.56.78:3306 -> 123.456.78.90:80 TCP TTL:112 TOS:0x0 ID:43759 IpLen:20 DgmLen:1492 DF ***AP*** Seq: 0xAEAD8723 Ack: 0xB2DB3D32 Win: 0x4410 TcpLen: 20 /default.ida?N
Because that isn't a valid URI. The content "GET /default.ida?N" is valid. HTTP specifies requests should have a method, then a URI, and then a version, then extra headers. The version and extra headers are optional. The method and URI are not. Try this and see if triggers on your installation of snort 1.9: echo "GET /default.ida?N HTTP/1.0" | nc your.server.here 80 -brian ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 25)
- Re: uricontent option in 1.9 vs 1.8.6 Joe McAlerney (Feb 25)
- Advice from the experts Mike Koponick (Feb 25)
- Re: Advice from the experts twig les (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
- Advice from the experts Mike Koponick (Feb 25)
- <Possible follow-ups>
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
- uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Joe McAlerney (Feb 25)