[Snort-sigs] Quick uricontent question

Joel Esler jesler at ...435...
Thu Sep 20 15:16:26 EDT 2012


It's still there, and it'll work for the foreseen future.  We are planning on an enhancement next year that should make writing http rules considerably easier.  We'll have a bunch of blog posts about it when it gets closer to release.  

http_uri and uricontent are the same.


On Sep 19, 2012, at 4:51 PM, James Lay <jlay at ...3266...> wrote:

> On 2012-09-19 14:45, lists at ...3397... wrote:
>> On 09/19/12 15:32, James Lay wrote:
>>> As I am reading the info on uricontent, the content is already
>>> normalized...does that mean I don't have to hex anything with
>>> "/counter.img?theme="?  Or does it matter.  Thanks all.
>> 
>> So before Alex jumps in, uricontent is deprecated in favor of 
>> http_uri as a
>> content modifier.  That being said, yeah, it still works just like 
>> threshold
>> being deprecated.
>> 
>> So you have http_uri and http_raw_uri.  The latter isn't normalised
>> the former
>> is.  So:
>> 
>> %3D in http_uri is literally =
>> %3D in http_raw_uri is literally %3D
>> 
>> As I understand it http_uri is faster than http_raw_uri but I welcome
>> corrections here.
>> 
>> Check out 3.5.15 http_raw_uri and 3.5.14 http_uri
>> 
>> Thanks,
>> Nathan
> 
> Ah bugger...ok thanks Nathan....crossing out uricontent in yon Snort 
> manual :)
> 
> James
> 
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond. Discussions 
> will include endpoint security, mobile security and the latest in malware 
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list