Snort mailing list archives
Re: PCRE and uricontent anchor
From: evejou <girl () techn0ev3 net>
Date: Fri, 26 Mar 2010 16:01:31 -0400
Would the "POST" content result in an undue number of partial matches? Just wondering, as I have heard several reactions that using thousands of signatures that using HTTP commands like "HEAD" and "POST" can really slow a machine down. On Fri, Mar 26, 2010 at 2:52 PM, evilghost () packetmail net < evilghost () packetmail net> wrote:
There's no reason that Joel's wouldn't work but like all things there's multiple solutions. I'd write it like this: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Evil stuff"; flow:established,to_server; content:"POST"; nocase; http_method; uricontent:".aspx?id="; nocase; pcre:"/\.aspx\?id=\d+$/Ui"; classtype: bad-unknown; sid:2010xxx; rev:1;) Please note the preceding period in ".aspx" uricontent match as well as the PCRE and the end of string/buffer anchor in the URI constrained PCRE which matches the cast of the id= query_string. Hope this helped. Replace $HTTP_PORTS with 443 if you're really only concerned with an HTTPS endpoitn. -evilghost Curt Shaffer wrote:I am attempting to write a rule that would capture a POST event to a urlwith a specific file. Here is an example:https://www.example.com/abc.aspx?id=459184950 The id section is always different. We also want to look for any similarPOSTS to any address. With that in mind, here is the basis of what we came up with.alert tcp $home_net any -> $external_net 443 (msg:"Bad stuff potentiallygoing on"; pcre:"a.\.aspx\?id=.*"; classtype: trojan-activity; sid:10000015; rev:1;)My question is, I suppose can we use a pcre match with no content oruricontent anchor, but that would be a pretty slow rule most likely. Does anyone have a suggestion on how I could anchor this to make it more efficient?Thanks Curt------------------------------------------------------------------------------Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- --- girl () techn0ev3 net Finché c'è vita, c'è speranza. As long as there is life, there is hope.
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- PCRE and uricontent anchor Curt Shaffer (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor Curt Shaffer (Mar 26)
- Re: PCRE and uricontent anchor L0rd Ch0de1m0rt (Mar 26)
- Re: PCRE and uricontent anchor Finney Charles E (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor Curt Shaffer (Mar 26)
- Re: PCRE and uricontent anchor Curt Shaffer (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor evilghost () packetmail net (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor evejou (Mar 26)
- Re: PCRE and uricontent anchor evilghost () packetmail net (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor evilghost () packetmail net (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)
- Re: PCRE and uricontent anchor Joel Esler (Mar 26)