[Oisf-users] distance, uricontent

Matt Jonkman jonkman at jonkmans.com
Thu Mar 18 15:04:52 UTC 2010

Well, the complication is in the uri buffer the data may be normalized,
and thus a different length than it is in the packet. So distance then
becomes difficult to calculate.

(I realize you probably knew that, but stating it for clarity :) )

So, my personal preference I've mentioned before is to be able to use
relative modifiers with uri matches. It would make a lot of things
easier to find without evasions. If we can just find a reliable way to
calculate both the original distance, and the new normalized distance,
then find a range that fits both. That might open up a few extra false
positives, but it'll make sure we have no false negatives. Preferable in
my opinion.

But I'll let Victor and Will and the guys chime in here as to the
technical feasibility.


On 3/18/10 10:52 AM, Geoff Whittington wrote:
> Hello,
> Can someone confirm whether there was a decision about the
> interpretation of uricontent as a "pattern match"? i.e.
> uricontent:"BAAD"; uricontent:"FOOD"; distance:0;
> According to snort:
> "The distance keyword allows the rule writer to specify how far into a
> packet Snort should
> ignore before starting to search for the specified pattern relative to
> the end of the previous
> pattern match."
> Cheers,
>  - Geoff
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users


Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Oisf-users mailing list