Snort mailing list archives
Re: Snort rule for a pattern match?
From: "Shields, Joseph (NIH/NIEHS) [C]" <joseph.shields () nih gov>
Date: Wed, 27 Mar 2013 14:45:43 +0000
Nathan, Thanks for the advice. However, the problem is the look ahead needs to do a calculation based on a matched value of a dot (.). so we are looking for a pattern. The first value can be an ascii (inc extended ascii) character. Here is the original posting of the requirement: I am looking for a pattern that identifies a threat I am tracking and need to write a signature to find it. The problem is that I don’t know what the starting character will be but I will always know what the difference between two given characters will be. A simple, human readable, example is: ABCDTSRQ The difference between each character is: [A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is 16 SMALLER than [T] is 1 BIGGER than [S] is 1 BIGGER than [R] is 1 BIGGER than [Q] The pattern in this example is -1,-1,-1,-16,+1,+1,+1. BCDEXWVU would match this pattern and so would HIJKZXYW. How can I write this rule? -----Original Message----- From: lists () packetmail net [mailto:lists () packetmail net] Sent: Wednesday, March 27, 2013 10:40 AM To: Lay, James; Shields, Joseph (NIH/NIEHS) [C] Cc: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Snort rule for a pattern match? On 03/27/2013 09:29 AM, Lay, James wrote:
James, The traffic could be on most any port, though it likely will be web. I think PCRE would be possible if the PERL look ahead with calc capability is supported. I’ve not seen anything showing this implementation. Namely, (?{ code }).
Look-aheads work, check out SID 2016551 in the ET ruleset. Check the PCRE with the negated look ahead. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Neutrino EK Downloading Jar"; flow:established,to_server; content:"?h"; http_uri; content:" Java/1."; http_header; fast_pattern; pcre:"/\/[a-z]+\?h(?!ash)[a-z]{5,}=[a-f0-9]{24}$/U"; classtype:trojan-activity; sid:2016551; rev:3;) Cheers, Nathan ------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 07)
- <Possible follow-ups>
- FW: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 07)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)
- Re: Snort rule for a pattern match? Joel Esler (Mar 26)
- Re: Snort rule for a pattern match? Jamie Riden (Mar 26)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)
- Re: Snort rule for a pattern match? Lay, James (Mar 26)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)
- Re: Snort rule for a pattern match? Lay, James (Mar 27)
- Re: Snort rule for a pattern match? lists () packetmail net (Mar 27)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 27)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 27)
- Re: Snort rule for a pattern match? lists () packetmail net (Mar 27)
- Re: Snort rule for a pattern match? Joel Esler (Mar 27)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)