Re: pattern recognition problems

[Matt Kettler <mkettler () evi-inc com>]

At 01:48 PM 9/15/2004, Travis Kincher wrote:
> Here's an example with rule SID 2278 (WEB-MISC client negative 
> Content-Length attempt)
> --------
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
> client negative Content-Length attempt"; flow:to_server,established; 
> content:"Content-Length|3A|"; nocase; 
> pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,9098; 
> reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; 
> classtype:misc-attack; sid:2278; rev:8;)
> --------
> So, of course, it is looking for an HTTP string containing a negative 
> content-length, i.e. "Content-Length: -1024".
>
> Here is an example of the data that apparently triggered this alert:
> --------
> HTTP/1.1 206 Partial Content..Server: Netscape-Enterprise/6.0..Date: Tue, 
> 17 Aug 2004 16:09:46 GMT..Content-type: image/jpeg..Etag: 
> "506d-70ab-411a9496"..Last-modified: Wed, 11 Aug 2004 21:50:14 
> GMT..Content-length: 13019..Content-range: bytes 15824-28842/28843....
> --------
>
> My first thoughts were perhaps that PCRE was failing, but I could not find 
> any indication that this was so.  Am I missing something here and/or is 
> there a way to confirm or deny that PCRE patterns are working?


Hmm, looking at the regex, and using perl's debugger to parse it, it should 
run fine as best I can tell. It could be a pcre issue, or a snort decoding 
issue (ie: the stream4 mangling bugs from the days of old).

The only thing thing I can see wrong with your regex is that the trailing + 
after \d is pointless since it's at the end of the regex. However, that 
won't prevent it from working, it's just a minor waste of time and cpu.

sidenote: This works because /\d/ will match on a digit, and doesn't care 
what follows. /\d+/ will match one ore more digits, and doesn't care what 
follows. Both will match "1" "11111" "1111asdf" or "1asdf".

This optimization of removing a trailing + ONLY works at the end of a regex 
when no criteria follow (i.e.: /\d+\s/ is different than /\d\s/, but /\d/ 
and /\d+/ have the same set of matches.)

Similarly ranged expressions {n,m} can be reduced to non-ranged ones {n} at 
the end of any regex.

I wish I could be of help with your real problem, but I also hope my regex 
advice helps you to some degree.






-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users