[Snort-users] uricontent vs. content

larosa, vjay larosa_vjay at ...3331...
Thu Oct 31 11:01:06 EST 2002

That was it! Maybe somebody from Snort.org could put a little note in
the http_decode and uricontent portions of the Snort users manual as
well as maybe a note in the snort.conf for the http_decode pre-processor?



-----Original Message-----
From: larosa, vjay [mailto:larosa_vjay at ...3331...]
Sent: Thursday, October 31, 2002 7:36 AM
To: 'andreaso at ...236...'
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] uricontent vs. content

What a bonehead I am! For some reason I commented out the http_decode
Thanks for your help Andreas! I will re-enable it and test it when I get in
to work.


-----Original Message-----
From: Andreas Östling [mailto:andreaso at ...236...]
Sent: Thursday, October 31, 2002 3:53 AM
To: larosa, vjay
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] uricontent vs. content

On Wednesday 30 October 2002 02.28, larosa, vjay wrote:
> Shouldn't both of these rules work, (with the first one being more
> accurate)? Or am I interpreting the uricontent
> keyword incorrectly?

This may be a stupid question, but are you sure you loaded the http_decode 
preprocessor and that you don't get any error message from it on startup?
Uricontent will not work without it. 

Both your rules works for me.


This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list