[Snort-devel] URI path, query discrimination
roesch at ...402...
Tue Mar 22 06:06:59 EST 2005
Thanks for the suggestion Mike, we'll take a look at it.
On Mar 18, 2005, at 11:00 PM, Michael J. Pomraning wrote:
> (wishlist item concerning HTTP requests: "<path>?<query>")
> It'd be convenient if 'uricontent' and 'pcre //U' matches could be
> explicitly restricted to either the decoded path component, the
> decoded query string (perhaps including the initial '?'), or, as is
> currently the case, the full and decoded request URI.
> We've all had F-Ps where a sig intending to match part of the path
> tripped on part of the query string, and vice versa. pcre can help,
> but gets ugly quickly ("/(^|[^?]+)\byucky\.cgi(\?|$)/U"). Moreover,
> pcres can never be perfect here: only the preprocessor can know which
> '?' in a decoded URI was the actual path/query boundary.
> Michael J. Pomraning, CISSP
> Project Manager, Infrastructure
> SecurePipe, Inc. - Managed Internet Security
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real
> Discover which products truly live up to the hype. Start reading now.
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend. - http://www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention -
More information about the Snort-devel