[Snort-devel] URI path, query discrimination

Michael J. Pomraning mjp-snort at ...806...
Fri Mar 18 20:28:47 EST 2005

(wishlist item concerning HTTP requests: "<path>?<query>")

It'd be convenient if 'uricontent' and 'pcre //U' matches could be
explicitly restricted to either the decoded path component, the
decoded query string (perhaps including the initial '?'), or, as is
currently the case, the full and decoded request URI.

We've all had F-Ps where a sig intending to match part of the path
tripped on part of the query string, and vice versa.  pcre can help,
but gets ugly quickly ("/(^|[^?]+)\byucky\.cgi(\?|$)/U").  Moreover,
pcres can never be perfect here:  only the preprocessor can know which
'?' in a decoded URI was the actual path/query boundary.

Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security

More information about the Snort-devel mailing list