Snort mailing list archives
Re: [help,urgent] Using PCRE to match packets in hex
From: rmkml <rmkml () yahoo fr>
Date: Sun, 27 Oct 2013 21:23:29 +0100 (CET)
Hi Yoyo and Jeremy, Well it's not easy too create rule for unknown network traffic, this sig work for two pcap submitted: alert tcp any any -> any any (msg:"Some message"; flow:to_server,established; content:"|11 13|"; depth:2; pcre:"/^\x11\x13.{8}(?:windows|linux)/s"; sid:1234567; rev:2;) Don't remember look checksum or not... (-k none) Best Regards @Rmkml On Sun, 27 Oct 2013, Yoyo Lam wrote:
These would be samples for checking. They are fetched using Wireshark. You can find it at the first packets to 130.37.198.87. A sample of packet that I want to match is already in the regex site I put before. I thought there would be no problem to my packet. I just want to know how to use my pattern to match against the hex dump of the packet. I didn't use content since I don't really get how to use it properly, and with my programming experience, I am more familiar with regex. And it seems that using pcre alone is ok. (not thoroughly tested) Yoyo 2013/10/27 Jeremy Hoel <jthoel () gmail com> Without a pcap of the data you're trying to hit on its hard to tell.. but this section mentions you might want a content part of the rule also. http://manual.snort.org/node32.html#SECTION004523200000000000000 On Oct 27, 2013 12:43 PM, "Yoyo Lam" <mtcyoyo () gmail com> wrote: Hello experts, I have a problem about PCRE. I wrote a PCRE pattern that perfectly matches a certain message, and I checked in some regex checker and there is no problem. But when I put it in a Snort rule with the B modifier, it doesn't work. Please help me to figure what happened. The PCRE Check page: http://www.phpliveregex.com/p/1In My Snort rule: alert tcp any any -> any any (pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(77696e646f7773|6c696e7578)/B"; msg:"Some message"; sid:1234567; rev:1;) Please help me by either 1) Telling me what I have forgotten to add/change/remove; 2) Give me the working rule :D 3) Any way that can solve this fast This is quite urgent, so please help me asap. Best regards, Yoyo
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [help,urgent] Using PCRE to match packets in hex, (continued)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex waldo kitty (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex rmkml (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex rmkml (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Message not available
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 28)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 28)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex JJ Cummings (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex rmkml (Oct 27)