[Snort-sigs] [Emerging-Sigs] what s the real difference here?

Joel Esler jesler at ...435...
Tue Jul 13 19:56:01 EDT 2010

On Jul 13, 2010, at 7:54 PM, evilghost at ...3397... wrote:
> Joel Esler wrote:
>> On Jul 13, 2010, at 6:58 PM, waldo kitty wrote:
>>> On 7/13/2010 18:40, Joel Esler wrote:
>>>> CC'ing Snort-Sigs list:
>>>> Copy and paste out of the manual for http_uri:
>>>> "Using a content rule option followed by a http uri modifier is the same as using a uricontent by itself."
>>> that's what i thought... so... if i may be so bold... why the change in format? 
>>> which is better? is one preferred over the other? which one?
>> Not sure of the reasoning behind it.  Maybe a Devel or VRT can chime in on that one.
> Riddle me this.  If I constrain a content match to the URI buffer (ala http_uri;) can I now use content modifiers which do not work with a uricontent match?  Some of these being
> depth, distance, isdataat, etc?

I'd like the Snort team to comment on this one, as I don't want to give you a wrong answer, but since it's reading a normalized field, my knee jerk reaction is to say "no."

More information about the Snort-sigs mailing list