Re: problems with Rule using PCRE

["Patrick Mullen" <pmullen () sourcefire com>]

> I am having an issue with false positives for a rule using PCRE.
>
> alert tcp any any ( content:"|BE EF|"; depth:2;
> pcre:"/^.{1}(|\x07|\x17|\x27|\x37|\x47|\x57|\x67|\x77|\x87|\x97|\xA7|\xB7|\xC7|\xD7|\xE7|\xF7)/iR"

I was trying to be clever with a bitmask, but the fast, easy way is this --

content:"|BE EF|"; depth:2;
pcre:"/^\xBE\xEF.[\x07\x17\x27\x37\x47\x57\x67\x77\x87\x97\xA7\xB7\xC7\xD7\xE7\xF7]/s";

You don't need (or want) 'i' flag to pcre because you're matching
binary data, not ascii text.  You do want to have the 's' flag to pcre
to ensure you look at the entire payload as a single string in case
you have a newline as the second byte, otherwise I believe you would
only see the first two chars.  You don't need a group modifier of {1}
when you're only matching a single byte.  Your initial version had a
null match at the beginning of the set, which is why you were getting
false positives.  Since you're only matching a single character, it is
best to use a character class "[ ]" because it might be faster but it
is certainly easier to read and it also reduces memory usage because
it doesn't create a match group which the "( )" will.


Hope this helps,

~Patrick

------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users