[Snort-users] Why content and not uricontent?
holger at ...13256...
Thu Apr 21 09:08:44 EDT 2005
thank you for your answer. I thought about it, however, I didn't get it ;)
* Brian <bmc at ...950...>:
> On Tue, Apr 12, 2005 at 11:43:59PM +0200, Holger Mense wrote:
> > Now I am curios. Can someone explain me, if there are any reasons
> > for using content over uricontent?
> phf can be exploited via POST as well as GET. http inspect doesn't
> provide a normalized parameter detection method,
I don't understand this. Using uricontent="QALIAS" worked for me, even when
the string "qalias" used hex encoding. And this part of the URL already
belongs to the parameter.
> so we use content to catch both GET and POST attacks.
Which does not catch the different encodings.
Thanks for your help,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: Digital signature
More information about the Snort-users