Re: [Emerging-Sigs] what s the real difference here?

[waldo kitty <wkitty42 () windstream net>]

On 7/13/2010 19:10, Joel Esler wrote:
> On Jul 13, 2010, at 6:58 PM, waldo kitty wrote:
> > On 7/13/2010 18:40, Joel Esler wrote:
> > > CC'ing Snort-Sigs list:
> > >
> > > Copy and paste out of the manual for http_uri:
> > >
> > > "Using a content rule option followed by a http uri modifier is the same as using a uricontent by itself."
> >
> > that's what i thought... so... if i may be so bold... why the change in format?
> > which is better? is one preferred over the other? which one?
>
> Not sure of the reasoning behind it.  Maybe a Devel or VRT can chime in on that one.

ok... i just also sub'd to snort-sigs... because of their inclusion in these 
messages... maybe the moderator over there will approve my previous reply in 
this thread... it is waiting approval because i wasn't a list member when it was 
written...

anyway, what brought the above to my attention is that i recently updated one of 
my snort units' VRT rules... they were 78 days behind (due to the changes at 
snort.org and the update script not having been updated)... this resulted in a 
2.8Meg oinkmaster log file so i went snooping to see what all had been done...

a huge number of "modified active" signatures had only the change i'm asking 
about in them... switching from "uricontent:blah;" to "content:blah; http_uri;" 
and nothing else...

and so my curiosity was highly aroused and here we are ;)

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs