Why content and not uricontent?

[Holger Mense <holger () project2501 de>]

Hi,

I am writing a bachelor thesis about NID in general and Snort in special. 
Therefore I played around with snort and http evasion. For testing purposes I
used the phf attack, which is triggered by snort with this rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI phf
arbitrary command execution attempt"; flow:to_server,established;
uricontent:"/phf"; nocase; content:"QALIAS"; nocase; content:"%0a";
reference:arachnids,128; reference:bugtraq,629; reference:cve,1999-0067;
classtype:web-application-attack; sid:1762; rev:5;)


When using the following string, snort didn't notice the attack:

/cgi/bin/phf?Q%61lias=x%0a/bin/cat%20/etc/passwd


I just did an hex encoding of the letter "a" in "Qalias". I solved this, 
with using uricontent="QALIAS" in the original rule.

Now I am curios. Can someone explain me, if there are any reasons for using 
content over uricontent?

Thanks, Holger


P.S.: Yes, I know that there is another rule, which will detect my string. 
However this rule alerts every (normal) use of phf. And I also know, that the
phf exploit is rather old. Like I said, I am just curios.

-- 
Holger Mense

Attachment: signature.asc
Description: Digital signature