RE: Testing the quickness of signature writers

["Dave Korn" <dave.korn () artimi com>]

On 02 May 2006 15:39, Dave Aitel wrote:
 
> Brian Caswell wrote:

> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-
> > PHP horde help module arbitrary command execution attempt";
> > flow:established,to_server; uricontent:"/services/help/";
> > pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U";
> > classtype:web-application- attack;)

> Does your script break if I shove a space in between the \x3b and the
> \x26? I try to understand snort signatures, but they're essentially
> optimized to be exactly the opposite of what my brain can handle. PCRE
> is here
http://www.snort.org/docs/snort_manual/node21.html#SECTION00451000000000000000
0
> but maybe I'm not seeing it right.


> > pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U";

  A forward slash, followed by any one char from the set ('?', ';', '&')
followed by the literal text "module=" followed by any number (zero or more)
alphanumerics followed by any char that is neither ';' nor '&'.  All matched
against the decoded URI buffer.

  I.e. it's looking at the url-encoded cgi parameters (which always follow a ?
; or &) for one that matches 'module=.....something...' and making sure that
the bit after the equals sign has only alphanums until it meets the delimiter
which identifies the next field.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....