Snort mailing list archives
Re: Mis-Matching traffic with PCRE Rules
From: Todd Wease <twease () sourcefire com>
Date: Fri, 8 Mar 2013 10:01:02 -0500
Waseem, Can you also attach your snort.conf and a pcap that reproduces the issue. Thanks, Todd On Fri, Mar 8, 2013 at 9:50 AM, waseem sarwar <waseemsarwar103 () hotmail com>wrote:
Hi Jeol, I have tried the rule on snort 2.9.4 version as well and got the same results. The PCRE version I am using is version: 8.12 2011-01-15. Please guide me with further debugging or resolution steps. Thanks, Waseem ------------------------------ Subject: Re: [Snort-devel] Mis-Matching traffic with PCRE Rules From: jesler () sourcefire com Date: Fri, 8 Mar 2013 09:28:33 -0500 CC: snort-devel () lists sourceforge net To: waseemsarwar103 () hotmail com On Mar 8, 2013, at 5:43 AM, waseem sarwar <waseemsarwar103 () hotmail com> wrote: I have a pcre based rule as follow in my rules file, alert udp any any -> any 53 (msg:"MALWARE domain capodeicapi.eu"; pcre:"m/ capodeicapi.eu/i"; classtype:trojan-activity; sid:5000968;) Hm.. I'm not sure what you are doing with the "m" in your pcre there.. but if you are trying to match on a domain name look up, that rule won't work. The "." in a domain name is actually a number. And it would be faster and better to do a content match there. content:"capodeicapi|02|eu"; or something like that. The issue I am facing is that this rule also matches for the domain http://capo.eu which it should not match. I am also facing similar problem with more pcre rules such that they match sub string based url of actual rules . I am using snort version 2.9.1. First thing I am going to ask you to do is upgrade your version of Snort. We are on 2.9.4.1 now, support for 2.9.1 ended about a year ago. In addition to that, I also need to know what version of pcre you have installed on the box. -- *Joel Esler* Senior Research Engineer, VRT OpenSource Community Manager Sourcefire ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Mis-Matching traffic with PCRE Rules waseem sarwar (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules Joel Esler (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules waseem sarwar (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules Todd Wease (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules Joshua Kinard (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules waseem sarwar (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules Joel Esler (Mar 08)