Re: [Emerging-Sigs] what s the real difference here?

[Joel Esler <jesler () sourcefire com>]

On Jul 13, 2010, at 8:03 PM, evilghost () packetmail net wrote:
> > > Riddle me this.  If I constrain a content match to the URI buffer (ala http_uri;) can I now use content modifiers 
> > > which do not work with a uricontent match?  Some of these being
> > > depth, distance, isdataat, etc?
> >
> > I'd like the Snort team to comment on this one, as I don't want to give you a wrong answer, but since it's reading a 
> > normalized field, my knee jerk reaction is to say "no."
>
> Thanks Joel, the reason I ask is I think I ran into this issue with a content match following another content match 
> constrained to 'http_cookie;' which attempted to be relative to
> the previous content match with a modifier (from what I recall it was 'distance'). AFAIK it doesn't work this way and 
> 'content:"spice"; http_uri;' is a pseudonym for
> 'uricontent:"spice";' and any content modifiers aren't applicable.  I'm not sure that's going to be implied in the 
> manual with regard to many of the content modifiers... Make sense?

Yes, I do understand.  Like I said, I'd like a Snort team comment on this one, just so we can be clear.  Are you saying 
that we should make it clear in the manual?

> Essentially, confining to the http_uri; isn't as "useful" as http_cookie; and http_header; due to the existence of 
> uricontent.

Yeah, let me defer to comment from the dev.  I am sure there was a reason for the separate development, even if it's 
planning for future use.


------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs