Dailydave mailing list archives

RE: Testing the quickness of signature writers

From: "M. Shirk" <shirkdog_list () hotmail com>
Date: Tue, 02 May 2006 14:20:01 -0400

>> pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U";

  A forward slash, followed by any one char from the set ('?', ';', '&')
followed by the literal text "module=" followed by any number (zero ormore)alphanumerics followed by any char that is neither ';' nor '&'. Allmatched
against the decoded URI buffer.

That space after the \? will be evaluated in the character set and theforward slash acts as the bracket for the pcre expression.


I assume Brian wanted the space in that first char set.

Shirkdog
http://www.shirkdog.us

From: "Dave Korn" <dave.korn () artimi com>
To: "'Dave Aitel'" <dave () immunityinc com>,"'Brian Caswell'" <bmc () snort org>
CC: 'dailydave' <dailydave () lists immunitysec com>
Subject: RE: [Dailydave] Testing the quickness of signature writers
Date: Tue, 2 May 2006 15:44:36 +0100

On 02 May 2006 15:39, Dave Aitel wrote:

> Brian Caswell wrote:

>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-
>> PHP horde help module arbitrary command execution attempt";
>> flow:established,to_server; uricontent:"/services/help/";
>> pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U";
>> classtype:web-application- attack;)

> Does your script break if I shove a space in between the \x3b and the
> \x26? I try to understand snort signatures, but they're essentially
> optimized to be exactly the opposite of what my brain can handle. PCRE
> is here
>
http://www.snort.org/docs/snort_manual/node21.html#SECTION00451000000000000000
0
> but maybe I'm not seeing it right.

I.e. it's looking at the url-encoded cgi parameters (which always followa ?; or &) for one that matches 'module=.....something...' and making surethatthe bit after the equals sign has only alphanums until it meets thedelimiter
which identifies the next field.

    cheers,
      DaveK
--
Can't think of a witty .sigline today....


_________________________________________________________________

FREE pop-up blocking with the new MSN Toolbar get it now!http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/

Current thread:

Testing the quickness of signature writers Dave Aitel (May 01)
- Re: Testing the quickness of signature writers Brian Caswell (May 01)
  - Re: Testing the quickness of signature writers Dave Aitel (May 02)
    - RE: Testing the quickness of signature writers Dave Korn (May 02)
    - RE: Testing the quickness of signature writers M. Shirk (May 02)
    - Re: Testing the quickness of signature writers Dave Aitel (May 02)
    - Re: Testing the quickness of signature writers Brian Caswell (May 02)
    - RE: Testing the quickness of signature writers Dave Korn (May 02)
    - Re: Testing the quickness of signature writers Brian Caswell (May 02)