[Snort-sigs] [Emerging-Sigs] what s the real difference here?
wkitty42 at ...3507...
Wed Jul 14 12:22:23 EDT 2010
On 7/13/2010 19:10, Joel Esler wrote:
> On Jul 13, 2010, at 6:58 PM, waldo kitty wrote:
>> On 7/13/2010 18:40, Joel Esler wrote:
>>> CC'ing Snort-Sigs list:
>>> Copy and paste out of the manual for http_uri:
>>> "Using a content rule option followed by a http uri modifier is the same as using a uricontent by itself."
>> that's what i thought... so... if i may be so bold... why the change in format?
>> which is better? is one preferred over the other? which one?
> Not sure of the reasoning behind it. Maybe a Devel or VRT can chime in on that one.
ok... i just also sub'd to snort-sigs... because of their inclusion in these
messages... maybe the moderator over there will approve my previous reply in
this thread... it is waiting approval because i wasn't a list member when it was
anyway, what brought the above to my attention is that i recently updated one of
my snort units' VRT rules... they were 78 days behind (due to the changes at
snort.org and the update script not having been updated)... this resulted in a
2.8Meg oinkmaster log file so i went snooping to see what all had been done...
a huge number of "modified active" signatures had only the change i'm asking
about in them... switching from "uricontent:blah;" to "content:blah; http_uri;"
and nothing else...
and so my curiosity was highly aroused and here we are ;)
More information about the Snort-sigs