[Snort-sigs] [Emerging-Sigs] what s the real difference here?

waldo kitty wkitty42 at ...3507...
Wed Jul 14 12:22:23 EDT 2010

On 7/13/2010 19:10, Joel Esler wrote:
> On Jul 13, 2010, at 6:58 PM, waldo kitty wrote:
>> On 7/13/2010 18:40, Joel Esler wrote:
>>> CC'ing Snort-Sigs list:
>>> Copy and paste out of the manual for http_uri:
>>> "Using a content rule option followed by a http uri modifier is the same as using a uricontent by itself."
>> that's what i thought... so... if i may be so bold... why the change in format?
>> which is better? is one preferred over the other? which one?
> Not sure of the reasoning behind it.  Maybe a Devel or VRT can chime in on that one.

ok... i just also sub'd to snort-sigs... because of their inclusion in these 
messages... maybe the moderator over there will approve my previous reply in 
this thread... it is waiting approval because i wasn't a list member when it was 

anyway, what brought the above to my attention is that i recently updated one of 
my snort units' VRT rules... they were 78 days behind (due to the changes at 
snort.org and the update script not having been updated)... this resulted in a 
2.8Meg oinkmaster log file so i went snooping to see what all had been done...

a huge number of "modified active" signatures had only the change i'm asking 
about in them... switching from "uricontent:blah;" to "content:blah; http_uri;" 
and nothing else...

and so my curiosity was highly aroused and here we are ;)

More information about the Snort-sigs mailing list