Snort mailing list archives
Matching the beginning or end of a (preprocessor) content buffer
From: Mike Cox <mike.cox52 () gmail com>
Date: Wed, 7 Nov 2012 15:22:03 -0600
AFIK, it isn't possible to do this without a PCRE but I though I'd ask: is is possible to tell a preprocessor content buffer (like http_uri) to match at the end (or beginning) of the buffer without using a PCRE? For example, let's say I want to match the URI 'bad.pdf". I know this will be at the end of the URI (and thus the end of the http_uri buffer) and I want to match that specifically so I don't also get alerts on things like "/bad.pdfoobar/index.aspx". Normally I'd just do this: content:"/bad.pdf"; http_uri; But I know that this will be at the end of the URI buffer and I don't want to do a PCRE as well to ensure this due to performance concerns. It seems like this ability would be moderately easy to build into the engine and computationally trivial as far as performance goes. Maybe have something like, "http_uri:end", "http_uri:beginning", "http_uri:beginning,end", http_cookie:end", etc. or have special characters (that would otherwise have to be escaped) to indicate that you want to match on the beginning or end of the buffer. Just a thought since you guys are re-writing the http-inspect preprocessor :) Joel, feel free to send to snort-dev, I don't think I'm on that list. Thanks! -Mike Cox ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Matching the beginning or end of a (preprocessor) content buffer Mike Cox (Nov 07)
- Re: Matching the beginning or end of a (preprocessor) content buffer Joel Esler (Nov 08)
- Re: Matching the beginning or end of a (preprocessor) content buffer Russ Combs (Nov 08)
- Re: Matching the beginning or end of a (preprocessor) content buffer Joel Esler (Nov 08)
- Re: [Snort-sigs] Matching the beginning or end of a (preprocessor) content buffer Mike Cox (Nov 09)
- Re: [Snort-sigs] Matching the beginning or end of a (preprocessor) content buffer Joel Esler (Nov 09)
- Re: [Snort-sigs] Matching the beginning or end of a (preprocessor) content buffer Mike Cox (Nov 09)
- Re: [Snort-sigs] Matching the beginning or end of a (preprocessor) content buffer Joel Esler (Nov 09)
- Re: [Snort-sigs] Matching the beginning or end of a (preprocessor) content buffer Mike Cox (Nov 09)
- Re: [Snort-sigs] Matching the beginning or end of a (preprocessor) content buffer Russ Combs (Nov 09)
- Re: [Snort-sigs] Matching the beginning or end of a (preprocessor) content buffer Joshua Kinard (Nov 10)
- Re: Matching the beginning or end of a (preprocessor) content buffer Russ Combs (Nov 08)
- Re: Matching the beginning or end of a (preprocessor) content buffer Joel Esler (Nov 08)