Snort mailing list archives

NNTP regex 2432

From: steve () Watt COM (Steve Watt)
Date: Tue, 9 Nov 2004 00:38:36 -0800
[ I'm a snort newbie, but thought I knew regexes pretty well ]

I'm getting a fair number of false positives on the rule that's
watching for an NNTP post without a Path: header.  (I.e. rule
number 2432).

I think the problem is with the regex; it appears (to my eyes)
to be somewhat broken.

It currently says:
  pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"

However, there's a .*? in there twice.  What is that supposed
to mean?  Zero or one incidences of zero or more characters?

However, modifying the rule so it reads

  pcre:!"/^takethis.*Path\x3a.*[\r]{0,1}?\n[\r]{0,1}\n/si"

doesn't seem to fix things.

Here's the packet dump that triggers the rule; it looks to me
like the regex should be matching.

00:32:47.116418 IP newsfeed.Stanford.EDU.34889 > wattres.watt.com.nntp: . 804161274:804162734(1460) ack 2722574907 win 
24820
        0x0000:  4520 05dc d34e 4000 3906 e723 ab40 0e6a  E....N@.9..#.@.j
        0x0010:  425d 8582 8849 0077 2fee 86fa a247 323b  B]...I.w/....G2;
        0x0020:  5010 60f4 0952 0000 5441 4b45 5448 4953  P.`..R..TAKETHIS
        0x0030:  203c 3130 3939 3938 3931 3536 2e37 3632  .<1099989156.762
        0x0040:  3233 382e 3133 3332 3430 4066 3134 6732  238.133240@f14g2
        0x0050:  3030 3063 7762 2e67 6f6f 676c 6567 726f  000cwb.googlegro
        0x0060:  7570 732e 636f 6d3e 0d0a 5061 7468 3a20  ups.com>..Path:.
        0x0070:  6e65 7773 6665 6564 2e73 7461 6e66 6f72  newsfeed.stanfor
        0x0080:  642e 6564 7521 706f 7374 6e65 7773 2e67  d.edu!postnews.g
        0x0090:  6f6f 676c 652e 636f 6d21 6631 3467 3230  oogle.com!f14g20
        0x00a0:  3030 6377 622e 676f 6f67 6c65 6772 6f75  00cwb.googlegrou
        0x00b0:  7073 2e63 6f6d 216e 6f74 2d66 6f72 2d6d  ps.com!not-for-m
        0x00c0:  6169 6c0d 0a46 726f 6d3a 2022 6b6f 6f6c  ail..From:."kool
        0x00d0:  6669 7265 5f6f 7222 203c 726f 6869 745f  fire_or".<rohit_
        0x00e0:  6d61 6e6f 6861 7240 6c79 636f 732e 636f  manohar () lycos co
        0x00f0:  6d3e 0d0a 4e65 7773 6772 6f75 7073 3a20  m>..Newsgroups:.

I suppose I could just add a pass rule, but this seems like a general problem.

In case it matters:

FreeBSD wattres.Watt.COM 5.3-STABLE FreeBSD 5.3-STABLE #0: Mon Nov  1 00:11:07 PST 2004     root () wattres Watt 
COM:/usr/src/sys/i386/compile/WATTRES  i386

I built snort from the FreeBSD ports, and it's 2.2.0.

-- 
Steve Watt KD6GGD  PP-ASEL-IA          ICBM: 121W 56' 57.8" / 37N 20' 14.9"
 Internet: steve @ Watt.COM                         Whois: SW32
   Free time?  There's no such thing.  It just comes in varying prices...


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:

NNTP regex 2432 Steve Watt (Nov 09)
- <Possible follow-ups>
- Re: NNTP regex 2432 Steve Watt (Nov 09)