[Snort-users] FW: uricontent vs. content

larosa, vjay larosa_vjay at ...3331...
Wed Oct 30 12:21:10 EST 2002


Hello,

Anybody have any ideas on this post I made last night? Thanks!

vjl

>  -----Original Message-----
> From: 	larosa, vjay  
> Sent:	Tuesday, October 29, 2002 8:29 PM
> To:	'snort-users at lists.sourceforge.net'
> Subject:	uricontent vs. content
> 
> Hello,
> 
> I am working on an issue I am having with snort 1.9.0 build 209. I have
> two rules,
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida?X
> attempt"; uriconte
> nt:".ida?X"; nocase; dsize:>239; flags:A+; reference:arachnids,552;
> classtype:web-applicatio
> n-attack; reference:cve,CAN-2000-0071; sid:1243; rev:1;)
> 
> and
> 
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida?X
> attempt"; conte
> nt:".ida?X"; nocase; dsize:>239; flags:A+; reference:arachnids,552;
> classtype:web-applicatio
> n-attack; reference:cve,CAN-2000-0071; sid:1243; rev:1;)
> 
> The only difference between the two is the first rule uses the uricontent
> keyword, and the second uses the
> plain old content option. The first rule doesn't work, the second does. 
> 
> If the packet requesting the URL is:
> 
> get /default.ida?XXXXXXXXXXXXXXXX
> 
> Shouldn't both of these rules work, (with the first one being more
> accurate)? Or am I interpreting the uricontent
> keyword incorrectly?
> 
> Thanks!
> 
> vjl
> 
> 
> V.Jay LaRosa                           EMC Corporation
> Information Security                  171 South Street
> (508)249-3355 office                  Hopkinton, MA 01748
> (508)498-5575 cell                     www.emc.com
> (888-799-9750 pager                  larosa_vjay at ...3331...
> (508)497-8082 fax
> 




More information about the Snort-users mailing list