| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: Format Up: Payload Detection Rule Options Previous: Examples Contents
uricontent
The uricontent keyword in the Snort rule language searches the NORMALIZED request URI field. This means that if you are writing rules that include things that are normalized, such as %2f or directory traversals, these rules will not alert. The reason is that the things you are looking for are normalized out of the URI buffer.
For example, the URI:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver\end{verbatim}
will get normalized into:
\begin{verbatim}/winnt/system32/cmd.exe?/c+ver
Another example, the URI:
/cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaa/..%252fp%68f? \end{verbatim}
will get normalized into:
\begin{verbatim}/cgi-bin/phf?
When writing a uricontent rule, write the content that you want to find in the context that the URI will be normalized. For example, if Snort normalizes directory traversals, do not include directory traversals.
You can write rules that look for the non-normalized content by using the
content option. (See Section ![[*]](file:/usr/share/latex2html/icons/crossref.png){kind=icon}
)
For a description of the parameters to this function, see the content rule
options in Section .
This option works in conjunction with the HTTP Inspect preprocessor specified
in Section .
Subsections
Steven Sturges 2007-10-04
| site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |