Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort rule for a pattern match?

From: "Shields, Joseph (NIH/NIEHS) [C]" <joseph.shields () nih gov>
Date: Wed, 27 Mar 2013 14:45:43 +0000
Nathan,
   Thanks for the advice.  However, the problem is the look ahead needs to do a calculation based on a matched value of 
a dot (.).  so we are looking for a pattern.  The first value can be an ascii (inc extended ascii) character.  Here is 
the original posting of the requirement:

I am looking for a pattern that identifies a threat I am tracking and need to write a signature to find it.  The 
problem is that I don’t know what the starting character will be but I will always know what the difference between two 
given characters will be.
 
A simple, human readable, example is:
 
ABCDTSRQ
 
The difference between each character is:
 
[A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is 16 SMALLER than [T] is 1 BIGGER than [S] is 1 
BIGGER than [R] is 1 BIGGER than [Q]
 
The pattern in this example is -1,-1,-1,-16,+1,+1,+1.
 
BCDEXWVU would match this pattern and so would HIJKZXYW.
 
How can I write this rule?

-----Original Message-----
From: lists () packetmail net [mailto:lists () packetmail net] 
Sent: Wednesday, March 27, 2013 10:40 AM
To: Lay, James; Shields, Joseph (NIH/NIEHS) [C]
Cc: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Snort rule for a pattern match?

On 03/27/2013 09:29 AM, Lay, James wrote:

James,

   The traffic could be on most any port, though it likely will be 
web.  I think PCRE would be possible if the PERL look ahead with calc 
capability is supported.  I’ve not seen anything showing this 
implementation.  Namely, (?{ code }).



Look-aheads work, check out SID 2016551 in the ET ruleset.  Check the PCRE with the negated look ahead.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino EK Downloading Jar"; 
flow:established,to_server; content:"?h"; http_uri; content:" Java/1."; http_header; fast_pattern; 
pcre:"/\/[a-z]+\?h(?!ash)[a-z]{5,}=[a-f0-9]{24}$/U"; classtype:trojan-activity; sid:2016551; rev:3;)

Cheers, Nathan
------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game 
on Steam. $5K grand prize plus 10 genre and skill prizes. 
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: