[Snort-sigs] Not uricontent

lists at ...3397... lists at ...3397...
Thu Feb 23 17:49:16 EST 2012


On 02/23/12 15:40, Andrew Torres wrote:
> Can and advise on a method to write a rule that says all content except
> uricontent. An example of this would be looking for a string in the body of
> the text but not in the uri.
> Please Advise. Thanks

Hi Andrew, so when you use the content:"" keyword unconstrained to a buffer you
end up with a situation like you've described.  There are two ways to approach this:

1) You could use some of the http_* content modifiers like http_header,
http_client_body, http_cookie, etc.

2) Could you use use a plain content match coupled with a negated content match
against http_uri.  Consider the below:

#Match 'foo' but not if 'foo' is in the URI
content:"foo"; content:!"foo"; http_uri;

Thanks,
Nathan




More information about the Snort-sigs mailing list