Project

General

Profile

Actions
Copy link

Feature #341

closed

urilen option to match on raw uri

Added by Victor Julien over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
1.2rc1
Effort:
Difficulty:
Label:

Description

By default Suricata's urilen matches on the normalized buffer. Snort 2.9.1 added support for matching on both the raw and normalized buffers:

urilen:min<>max[,<uribuf>];
urilen:[<|>]<number>[,<uribuf>];
<uribuf> : "norm" | "raw"

It seems that Snort selects the raw uri by default.

Files

0001-bug-341-support-for-urilen-check-on-both-norm-and-ra.patch (26.1 KB) 0001-bug-341-support-for-urilen-check-on-both-norm-and-ra.patch Anoop Saldanha, 12/22/2011 04:26 AM
Actions
Copy link

Also available in: Atom PDF