Re: uricontent option in 1.9 vs 1.8.6

[Chris Green <cmg () sourcefire com>]

David Gordon <dgordon () mmwec org> writes:

> Erek,
>
> > If you have it, could you post (or private email) a full 
> > packet dump of
> > the packet that's triggering/not triggering the alert?
> >
> > Cheers!
> >
> > -----
> > Erek Adams
>
> This may be relevant...
>
> I'm running snort against tcpdump output which used the tcpdump default
> snaplen, so maybe snort is not seeing everything it needs to see.

It definately isn't.
> So the following are dumps of two packet. As you can see the GET is in the
> previous packet. As I understand it, http_decode should combine the packets
> before the uricontent rule is applied. But maybe it still doesn't meet the
> criteria for URI content.

It needs both sides of the conversation with preprocessor stream4:
enabled

Cheers,
Chris
-- 
Chris Green <cmg () sourcefire com>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod


-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users