[Snort-users] uricontent vs. content

larosa, vjay larosa_vjay at ...3331...
Tue Oct 29 17:29:03 EST 2002


Hello,

I am working on an issue I am having with snort 1.9.0 build 209. I have two
rules,

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida?X
attempt"; uriconte
nt:".ida?X"; nocase; dsize:>239; flags:A+; reference:arachnids,552;
classtype:web-applicatio
n-attack; reference:cve,CAN-2000-0071; sid:1243; rev:1;)

and

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida?X
attempt"; conte
nt:".ida?X"; nocase; dsize:>239; flags:A+; reference:arachnids,552;
classtype:web-applicatio
n-attack; reference:cve,CAN-2000-0071; sid:1243; rev:1;)

The only difference between the two is the first rule uses the uricontent
keyword, and the second uses the
plain old content option. The first rule doesn't work, the second does. 

If the packet requesting the URL is:

get /default.ida?XXXXXXXXXXXXXXXX

Shouldn't both of these rules work, (with the first one being more
accurate)? Or am I interpreting the uricontent
keyword incorrectly?

Thanks!

vjl


V.Jay LaRosa                           EMC Corporation
Information Security                  171 South Street
(508)249-3355 office                  Hopkinton, MA 01748
(508)498-5575 cell                     www.emc.com
(888-799-9750 pager                  larosa_vjay at ...3331...
(508)497-8082 fax





More information about the Snort-users mailing list