[Snort-users] Why content and not uricontent?

Holger Mense holger at ...13256...
Thu Apr 21 09:08:44 EDT 2005


Hi,

thank you for your answer. I thought about it, however, I didn't get it ;)

* Brian <bmc at ...950...>:
> On Tue, Apr 12, 2005 at 11:43:59PM +0200, Holger Mense wrote:
> > Now I am curios. Can someone explain me, if there are any reasons
> > for using content over uricontent?
> 
> phf can be exploited via POST as well as GET.  http inspect doesn't
> provide a normalized parameter detection method, 

I don't understand this. Using uricontent="QALIAS" worked for me, even when 
the string "qalias" used hex encoding. And this part of the URL already 
belongs to the parameter.


> so we use content to catch both GET and POST attacks.

Which does not catch the different encodings.


Thanks for your help,
Holger Mense

-- 
Holger Mense
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050421/ac1cd2f3/attachment.sig>


More information about the Snort-users mailing list