[Snort-devel] URI path, query discrimination

Martin Roesch roesch at ...402...
Tue Mar 22 06:06:59 EST 2005


Thanks for the suggestion Mike, we'll take a look at it.

      -Marty

On Mar 18, 2005, at 11:00 PM, Michael J. Pomraning wrote:

> (wishlist item concerning HTTP requests: "<path>?<query>")
>
> It'd be convenient if 'uricontent' and 'pcre //U' matches could be
> explicitly restricted to either the decoded path component, the
> decoded query string (perhaps including the initial '?'), or, as is
> currently the case, the full and decoded request URI.
>
> We've all had F-Ps where a sig intending to match part of the path
> tripped on part of the query string, and vice versa.  pcre can help,
> but gets ugly quickly ("/(^|[^?]+)\byucky\.cgi(\?|$)/U").  Moreover,
> pcres can never be perfect here:  only the preprocessor can know which
> '?' in a decoded URI was the actual path/query boundary.
>
> Regards,
> Mike
> -- 
> Michael J. Pomraning, CISSP
> Project Manager, Infrastructure
> SecurePipe, Inc. - Managed Internet Security
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real 
> users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend. - http://www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention - 
http://www.snort.org





More information about the Snort-devel mailing list