Project

General

Profile

Actions

Bug #219

closed

uricontent with relative pcre

Added by Victor Julien over 14 years ago. Updated almost 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

There are signatures in VRT that follow this basic pattern. We are not supporting it because right now the detection engine has no way of knowing where in the raw payload the uri match ended. Another complication is that the uri normalizer may change the size of the uri (e.g. %20 becomes a single space, shrinking the uri with 2 bytes).

uricontent:"foo"; pcre:"/bar/R";
content:"foo"; http_uri; pcre:"/bar/R";

It seems in Snort this only works on non-normalized uri's.

Actions

Also available in: Atom PDF