[Snort-sigs] Quick uricontent question

lists at ...3397... lists at ...3397...
Wed Sep 19 16:45:15 EDT 2012


On 09/19/12 15:32, James Lay wrote:
> As I am reading the info on uricontent, the content is already 
> normalized...does that mean I don't have to hex anything with 
> "/counter.img?theme="?  Or does it matter.  Thanks all.

So before Alex jumps in, uricontent is deprecated in favor of http_uri as a
content modifier.  That being said, yeah, it still works just like threshold
being deprecated.

So you have http_uri and http_raw_uri.  The latter isn't normalised the former
is.  So:

%3D in http_uri is literally =
%3D in http_raw_uri is literally %3D

As I understand it http_uri is faster than http_raw_uri but I welcome
corrections here.

Check out 3.5.15 http_raw_uri and 3.5.14 http_uri

Thanks,
Nathan





More information about the Snort-sigs mailing list