Snort mailing list archives
Issue with pcre
From: Sean Cavanaugh <sean.cavanaugh () ll mit edu>
Date: Mon, 6 Oct 2014 16:35:09 -0400
Good afternoon all,I am relatively new to writing Snort sigs and have been having some issues with loading the rule shown below into our Sourcefire IPS, but receive the error message "...unable to parse pcre regex "trackback\/$/EiU".
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Trackback attempt"; flow:established,to_server; content:"POST"; http_method; uricontent:"/trackback/"; nocase; pcre:"\/trackback\/$/EiU"; sid:xxxxxxx;)
I am attempting to be alerted when the string "/trackback/" is at the end of the URI for a POST to our web server. I have tried a few variations of the rule but nothing I have done seems to take.
Thank you, -Sean
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Issue with pcre Sean Cavanaugh (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Sean Cavanaugh (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Joel Esler (jesler) (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Joel Esler (jesler) (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Sean Cavanaugh (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre waldo kitty (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre waldo kitty (Oct 06)