3.5.23 uricontent

The uricontent keyword in the Snort rule language searches the NORMALIZED request URI field. This is equivalent to using the http_uri modifier to a content keyword. As such if you are writing rules that include things that are normalized, such as 2f or directory traversals, these rules will not alert. The reason is that the things you are looking for are normalized out of the URI buffer.

For example, the URI:

verbatim648#

will get normalized into:

verbatim649#

Another example, the URI:

verbatim650#

will get normalized into:

verbatim651#

When writing a uricontent rule, write the content that you want to find in the context that the URI will be normalized. For example, if Snort normalizes directory traversals, do not include directory traversals.

You can write rules that look for the non-normalized content by using the content option. (See Section #sub:content#4794>)

uricontent can be used with several of the modifiers available to the content keyword. These include:

**Table:** Uricontent Modifiers
Modifier	Section
nocase	#sub:nocase#4804>
depth	#sub:depth#4805>
offset	#sub:offset#4806>
distance	#sub:Distance#4807>
within	#sub:Within#4808>
fast_pattern	#sub:FastPattern#4809>

This option works in conjunction with the HTTP Inspect preprocessor specified in Section #sub:http-inspect#4813>.

3.5.23.1 Format

verbatim652#

rawhtml155#

uricontent cannot be modified by a rawbytes modifier or any of the other HTTP modifiers. If you wish to search the UNNORMALIZED request URI field, use the http_raw_uri modifier with a content option.

rawhtml156#