[Snort-users] FW: uricontent vs. content
larosa_vjay at ...3331...
Wed Oct 30 17:15:10 EST 2002
I tested this and all of the data was in one packet.
I will try testing this tomorrow AM with
no dsize option with and with out the uricontent
to see what happens. Thanks!
From: Chris Green [mailto:cmg at ...950...]
Sent: Wednesday, October 30, 2002 5:49 PM
To: larosa, vjay
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] FW: uricontent vs. content
"larosa, vjay" <larosa_vjay at ...3331...> writes:
> From: "larosa, vjay" <larosa_vjay at ...3331...>
> Subject: [Snort-users] FW: uricontent vs. content
> To: "'snort-users at lists.sourceforge.net'"
<snort-users at lists.sourceforge.net>
> Date: Wed, 30 Oct 2002 15:20:18 -0500
> Anybody have any ideas on this post I made last night? Thanks!
I'm betting its because
/default ida?XXXXX is pushed through as 2 packets instead
and that the dsize check is not true for stream packets.
I'm having Brian remove that and I'll go and make sure that
distance/within works correctly before 1.9.1...
Chris Green <cmg at ...1935...>
"Not everyone holds these truths to be self-evident, so we've worked
up a proof of them as Appendix A." -- Paul Prescod
More information about the Snort-users