Actions
Bug #219
closeduricontent with relative pcre
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
There are signatures in VRT that follow this basic pattern. We are not supporting it because right now the detection engine has no way of knowing where in the raw payload the uri match ended. Another complication is that the uri normalizer may change the size of the uri (e.g. %20 becomes a single space, shrinking the uri with 2 bytes).
uricontent:"foo"; pcre:"/bar/R";
content:"foo"; http_uri; pcre:"/bar/R";
It seems in Snort this only works on non-normalized uri's.
Updated by Victor Julien over 13 years ago
- Status changed from New to Closed
This works now in 1.1beta1.
Actions