Snort mailing list archives

Previous By Date Next
Previous By Thread Next

How to reference a $var in pcre?

From: Kirk Vogelsang <kvogelsa () ccs neu edu>
Date: Wed, 12 May 2004 17:10:24 -0400 (EDT)
I'm having a bit of trouble getting access to a variable within a pcre
statement.  For example:

var TEST1 "foo"
var TEST2 "bar"

alert UDP any any -> any 161 ( sid: 123; rev: 1; msg: "Test";
  pcre: !"/\b($TEST1|$TEST2)\b/"; classtype: test:)

I'm trying to test the communities of SNMP packets.  If they're not
what they should be (foo or bar), issue an alert.

Unfortunately, both incorrect and correct packets trigger this alert.
If I replace $TEST1 and $TEST2 with the actual variable text, it works
as expected.

How does one reference var's within a pcre statement?

-----
Kirk M. Vogelsang <kvogelsa () ccs neu edu>
Northeastern University College of Computer Science


-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to 
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: