[Snort-users] newbie: http and uris

Peter Schmitz mosquitooth at ...158...
Tue Apr 12 05:15:22 EDT 2005


I've got some (newbie) questions concerning http and especially URIs I
couldn't find an answert to - but nethertheless I do need the answers to
write snort rules with the "uricontent" keyword.

- What does the string "\....\" in an URI mean? There are some hints on
"directory transversal" - could someone explain this any further?

- Every whitespace character in an URI is replaced by a "+" when encoded to
html (correct?). Now, does snort remove this "+" when it decodes the http

- What is the standard decoding for snort? UTF7, UTF8, Unicode, ASCII...?

- Several papers I tried to read about the subject contain the term "regular
expression". What's this?

Greetings and thanks in advance,


