[Snort-sigs] [Emerging-Sigs] what s the real difference here?

Joel Esler jesler at ...435...
Wed Jul 14 13:10:18 EDT 2010


On Jul 14, 2010, at 12:22 PM, waldo kitty wrote:
> 
> On 7/13/2010 19:10, Joel Esler wrote:
>> On Jul 13, 2010, at 6:58 PM, waldo kitty wrote:
>>> 
>>> On 7/13/2010 18:40, Joel Esler wrote:
>>>> CC'ing Snort-Sigs list:
>>>> 
>>>> Copy and paste out of the manual for http_uri:
>>>> 
>>>> "Using a content rule option followed by a http uri modifier is the same as using a uricontent by itself."
>>> 
>>> that's what i thought... so... if i may be so bold... why the change in format?
>>> which is better? is one preferred over the other? which one?
>> 
>> Not sure of the reasoning behind it.  Maybe a Devel or VRT can chime in on that one.
> 
> a huge number of "modified active" signatures had only the change i'm asking 
> about in them... switching from "uricontent:blah;" to "content:blah; http_uri;" 
> and nothing else...
> 
> and so my curiosity was highly aroused and here we are ;)

I noticed that as well when I was looking at the botnet-cnc and what not (new rule categories) rules.  



More information about the Snort-sigs mailing list