Snort mailing list archives
Adding Regex into Snort rule
From: Charlie Egan <chas5873 () gmail com>
Date: Sat, 14 Jun 2014 20:18:34 +0100
Hi guys, I'm trying to write a rule which detects a buffer overflow exploit to a web server which I'm running on a Windows XP VM. After looking at the hex dump in Wireshark after firing off the exploit I was able to take some of the content so Snort detects it, although I'm wanting to add a regex into the rule as well to make it more advanced. http://oi59.tinypic.com/2ptqibl.jpg - Hex dump from Wireshark http://oi60.tinypic.com/flkeaq.jpg - Exploit code alert tcp any any -> any any (msg:"Buffer Overflow Attempt"; content:"|90 90 90 90 90 90 90 90|"; flow:to_server,established; classtype:misc-attack; sid:1000001; rev:1;) Now to my understanding, regex's are added into Snort rules by using a pcre command? So I would add into say before the content section of the rule; pcre:"regex here"; When I'm reloading Snort after adding my regex, it's not loading and giving me an error. If anyone could point me in the right direction of what the problem is, it would be much appreciated! Cheers
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Adding Regex into Snort rule Charlie Egan (Jun 14)
- Re: Adding Regex into Snort rule Nathan Fowler (Jun 16)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 15)
- Re: Adding Regex into Snort rule Nicholas Mavis (nmavis) (Jun 16)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 22)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 15)
- Re: Adding Regex into Snort rule Nathan Fowler (Jun 16)
- <Possible follow-ups>
- Adding Regex into Snort rule Charlie Egan (Jun 16)