Snort mailing list archives

Better regex expression ($ of "end of string")

From: "Vincent Corriveau" <Vincent.Corriveau () criq qc ca>
Date: Fri, 22 Nov 2002 15:23:30 -0500

I want to have a alert when a user request a applet (.cab request)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
 ( \
  msg: "HTTP GET .cab"; \
  uricontent: ".cab"; nocase; \
  flags: A+; \
  classtype: criq; \
 )

Sometimes, I have false positive alert when a user ask, for example :

GET /abc.cabin.def.jpg

It's possible to simulate the "$" symbol in a regex expression to specify the end
of the string ?

For example: uricontent: ".cab$"; nocase; regex;    (bad!)

I try these statement without success :

uricontent: ".cab"; uricontent: !".cab?"; nocase; regex;
uricontent: ".cab"; offset: -4; nocase;

I run Snort 1.9.0

Thanks

Vincent Corriveau

Current thread:

Better regex expression ($ of "end of string") Vincent Corriveau (Nov 25)
- Re: Better regex expression ($ of "end of string") Brian (Nov 25)