[Snort-sigs] [Emerging-Sigs] what s the real difference here?

Matt Watchinski mwatchinski at ...435...
Wed Jul 14 13:33:27 EDT 2010

content:"foo"; http_uri; is preferred.  Other than consistency with
the other content modifiers http_client_body, filedata, etc its easier
to parse one thing and not two.


On Wed, Jul 14, 2010 at 1:10 PM, Joel Esler <jesler at ...435...> wrote:
> On Jul 14, 2010, at 12:22 PM, waldo kitty wrote:
>> On 7/13/2010 19:10, Joel Esler wrote:
>>> On Jul 13, 2010, at 6:58 PM, waldo kitty wrote:
>>>> On 7/13/2010 18:40, Joel Esler wrote:
>>>>> CC'ing Snort-Sigs list:
>>>>> Copy and paste out of the manual for http_uri:
>>>>> "Using a content rule option followed by a http uri modifier is the same as using a uricontent by itself."
>>>> that's what i thought... so... if i may be so bold... why the change in format?
>>>> which is better? is one preferred over the other? which one?
>>> Not sure of the reasoning behind it.  Maybe a Devel or VRT can chime in on that one.
>> a huge number of "modified active" signatures had only the change i'm asking
>> about in them... switching from "uricontent:blah;" to "content:blah; http_uri;"
>> and nothing else...
>> and so my curiosity was highly aroused and here we are ;)
> I noticed that as well when I was looking at the botnet-cnc and what not (new rule categories) rules.
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Matthew Watchinski
Sr. Director Vulnerability Research Team (VRT)
Sourcefire, Inc.
Office: 410-423-1928
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

More information about the Snort-sigs mailing list