Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » newbie: uricontent?

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

newbie: uricontent?


Posted by mosquitooth on March 28, 2005 00:34:41

Hi,

I'm quite new to snort (and networking in general) so please excuse this trivial question:

What does the keyword 'uricontent' mean? What is an URI? could anyone give me an example?

thanks a lot
Peter


Posted by maverick on March 30, 2005 06:41:09

Its checks the URI (Uniform Resource Identifier) of an HTTP packet as opposed to the whole packet content for efficiency. So if you searched google.com for "uri", the uricontent portion of the signature would check "http://www.google.com/search?hl=en&lr=&q=uri" instead of the entire returned page.

Posted by mosquitooth on March 30, 2005 10:41:11

Thanks for replying! So, is URI just the same as URL?
Is it possible to say that every URI starts with the string "http://" and ends with - yeah ends with what?

Or, is it better to say that every URI (in real network flow) begins one byte after the "GET" statement and ends with the "HTTP" statement (e.g. "GET www/GMX_de/?3234234343 HTTP/1.1 [...]", so the URI would be 'www/GMX_de/?3234234343').

Or, to cut all this short: When I log all http traffic (as tcpdump), how can I precisely identify an URI (what are start/end statements)?

Thanks a lot,

Peter

Posted by nigel on April 05, 2005 20:38:05

ok, you need to take a close look at README.http_inspect for what uricontent can do for you. In short, http_inspect will get you a normalised URI (a URL is a subset of URI) that is, http_inspect will fix URIs that have been mangled in an attempt to evade your IDS.

With uricontent you can disregard the GET and the http:// and any obfuscation techniques performed by an attacker. You can concentrate on the actual content of the uri. A simple example might be this, suppose you have the following URI that targets a vulnerable script on a server, you can pass some variables (foo/bar) to exploit the script

http://www.target.com/cgi-bin/vulnerable.cgi?foo/bar

And to avoid detection, you could send the following request to access the script

http://www.target.com/../../../../../../../cgi-bin/vulnerable.cgi?../../../foo/../../bar

uricontent would allow you to ignore the directory traversals, "../../" to concentrate on the actual bad things sent to the script (the foo/bar) so your rule could just use uricontent:"foo/bar";

This is a very simplistic view, but should give you an idea of what you can do.
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.