[Snort-users] FW: uricontent vs. content

larosa, vjay larosa_vjay at ...3331...
Wed Oct 30 17:15:10 EST 2002


Hi Chris,

I tested this and all of the data was in one packet. 
I will try testing this tomorrow AM with
no dsize option with and with out the uricontent
to see what happens. Thanks!

vjl

-----Original Message-----
From: Chris Green [mailto:cmg at ...950...]
Sent: Wednesday, October 30, 2002 5:49 PM
To: larosa, vjay
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] FW: uricontent vs. content


"larosa, vjay" <larosa_vjay at ...3331...> writes:

> From: "larosa, vjay" <larosa_vjay at ...3331...>
> Subject: [Snort-users] FW: uricontent vs. content
> To: "'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>
> Date: Wed, 30 Oct 2002 15:20:18 -0500
>
> Hello,
>
> Anybody have any ideas on this post I made last night? Thanks!
>

I'm betting its because
GET
/default ida?XXXXX  is pushed through as 2 packets instead
and that the dsize check is not true for stream packets.

I'm having Brian remove that and I'll go and make sure that
distance/within works correctly before 1.9.1...
-- 
Chris Green <cmg at ...1935...>
 "Not everyone holds these truths to be self-evident, so we've worked
                  up a proof of them as Appendix A." --  Paul Prescod




More information about the Snort-users mailing list