The uricontent keyword in the Snort rule language searches the NORMALIZED request URI field. This is equivalent to using the http_uri modifier to a content keyword. As such if you are writing rules that include things that are normalized, such as %2f or directory traversals, these rules will not alert. The reason is that the things you are looking for are normalized out of the URI buffer.
For example, the URI:
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+ver
will get normalized into:
/winnt/system32/cmd.exe?/c+ver
Another example, the URI:
/cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaa/..%252fp%68f?
will get normalized into:
/cgi-bin/phf?
When writing a uricontent rule, write the content that you want to find in the context that the URI will be normalized. For example, if Snort normalizes directory traversals, do not include directory traversals.
You can write rules that look for the non-normalized content by using the content option. (See Section 3.5.1)
uricontent can be used with several of the modifiers available to the content keyword. These include:
| Modifier | Section |
| nocase | 3.5.2 |
| depth | 3.5.4 |
| offset | 3.5.5 |
| distance | 3.5.6 |
| within | 3.5.7 |
| fast_pattern | 3.5.19 |
This option works in conjunction with the HTTP Inspect preprocessor specified in Section 2.2.6.