Dailydave mailing list archives
RE: Testing the quickness of signature writers
From: "M. Shirk" <shirkdog_list () hotmail com>
Date: Tue, 02 May 2006 14:20:01 -0400
>> pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U"; A forward slash, followed by any one char from the set ('?', ';', '&')followed by the literal text "module=" followed by any number (zero or more) alphanumerics followed by any char that is neither ';' nor '&'. All matchedagainst the decoded URI buffer.
That space after the \? will be evaluated in the character set and the forward slash acts as the bracket for the pcre expression.
I assume Brian wanted the space in that first char set. Shirkdog http://www.shirkdog.us
From: "Dave Korn" <dave.korn () artimi com> To: "'Dave Aitel'" <dave () immunityinc com>,"'Brian Caswell'" <bmc () snort org> CC: 'dailydave' <dailydave () lists immunitysec com> Subject: RE: [Dailydave] Testing the quickness of signature writers Date: Tue, 2 May 2006 15:44:36 +0100 On 02 May 2006 15:39, Dave Aitel wrote: > Brian Caswell wrote: >> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB- >> PHP horde help module arbitrary command execution attempt"; >> flow:established,to_server; uricontent:"/services/help/"; >> pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U"; >> classtype:web-application- attack;) > Does your script break if I shove a space in between the \x3b and the > \x26? I try to understand snort signatures, but they're essentially > optimized to be exactly the opposite of what my brain can handle. PCRE > is here > http://www.snort.org/docs/snort_manual/node21.html#SECTION00451000000000000000 0 > but maybe I'm not seeing it right.
I.e. it's looking at the url-encoded cgi parameters (which always follow a ? ; or &) for one that matches 'module=.....something...' and making sure that the bit after the equals sign has only alphanums until it meets the delimiterwhich identifies the next field. cheers, DaveK -- Can't think of a witty .sigline today....
_________________________________________________________________FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Current thread:
- Testing the quickness of signature writers Dave Aitel (May 01)
- Re: Testing the quickness of signature writers Brian Caswell (May 01)
- Re: Testing the quickness of signature writers Dave Aitel (May 02)
- RE: Testing the quickness of signature writers Dave Korn (May 02)
- RE: Testing the quickness of signature writers M. Shirk (May 02)
- Re: Testing the quickness of signature writers Dave Aitel (May 02)
- Re: Testing the quickness of signature writers Brian Caswell (May 02)
- RE: Testing the quickness of signature writers Dave Korn (May 02)
- Re: Testing the quickness of signature writers Dave Aitel (May 02)
- Re: Testing the quickness of signature writers Brian Caswell (May 01)
- Re: Testing the quickness of signature writers Brian Caswell (May 02)