[Snort-sigs] Quick uricontent question

James Lay jlay at ...3266...
Wed Sep 19 16:51:46 EDT 2012


On 2012-09-19 14:45, lists at ...3397... wrote:
> On 09/19/12 15:32, James Lay wrote:
>> As I am reading the info on uricontent, the content is already
>> normalized...does that mean I don't have to hex anything with
>> "/counter.img?theme="?  Or does it matter.  Thanks all.
>
> So before Alex jumps in, uricontent is deprecated in favor of 
> http_uri as a
> content modifier.  That being said, yeah, it still works just like 
> threshold
> being deprecated.
>
> So you have http_uri and http_raw_uri.  The latter isn't normalised
> the former
> is.  So:
>
> %3D in http_uri is literally =
> %3D in http_raw_uri is literally %3D
>
> As I understand it http_uri is faster than http_raw_uri but I welcome
> corrections here.
>
> Check out 3.5.15 http_raw_uri and 3.5.14 http_uri
>
> Thanks,
> Nathan

Ah bugger...ok thanks Nathan....crossing out uricontent in yon Snort 
manual :)

James




More information about the Snort-sigs mailing list