Re: Mis-Matching traffic with PCRE Rules

[Todd Wease <twease () sourcefire com>]

Waseem,

Can you also attach your snort.conf and a pcap that reproduces the issue.

Thanks,
Todd

On Fri, Mar 8, 2013 at 9:50 AM, waseem sarwar
<waseemsarwar103 () hotmail com>wrote:

> Hi Jeol,
>
> I have tried the rule on snort 2.9.4 version as well and got the same
> results. The PCRE version I am using is version: 8.12 2011-01-15. Please
> guide me with further debugging or resolution steps.
>
> Thanks,
> Waseem
>
> ------------------------------
> Subject: Re: [Snort-devel] Mis-Matching traffic with PCRE Rules
> From: jesler () sourcefire com
> Date: Fri, 8 Mar 2013 09:28:33 -0500
> CC: snort-devel () lists sourceforge net
> To: waseemsarwar103 () hotmail com
>
>
> On Mar 8, 2013, at 5:43 AM, waseem sarwar <waseemsarwar103 () hotmail com>
> wrote:
>
> I have a pcre based rule as follow in my rules file,
>
> alert udp any any -> any 53 (msg:"MALWARE domain capodeicapi.eu"; pcre:"m/
> capodeicapi.eu/i"; classtype:trojan-activity; sid:5000968;)
>
>
> Hm..
> I'm not sure what you are doing with the "m" in your pcre there..  but if
> you are trying to match on a domain name look up, that rule won't work.
>  The "." in a domain name is actually a number.  And it would be faster and
> better to do a content match there.  content:"capodeicapi|02|eu"; or
> something like that.
>
>
> The issue I am facing is that this rule also matches for the domain
> http://capo.eu which it should not match. I am also facing similar
> problem with more pcre rules such that they match sub string based url of
> actual rules . I am using snort version 2.9.1.
>
>
> First thing I am going to ask you to do is upgrade your version of Snort.
>  We are on 2.9.4.1 now, support for 2.9.1 ended about a year ago.  In
> addition to that, I also need to know what version of pcre you have
> installed on the box.
>
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
>
> ------------------------------------------------------------------------------
> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
> endpoint security space. For insight on selecting the right partner to
> tackle endpoint security challenges, access the full report.
> http://p.sf.net/sfu/symantec-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> Archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!