Re: problems with Rule using PCRE

["Document Retention" <document.retention () gmail com>]

:) Indeed Alex....!

Thank you for your help on this.... I was pulling my hair out on this :)

Regards,

DR

On Wed, Jan 7, 2009 at 1:50 PM, Alex Kirk <akirk () sourcefire com> wrote:

> I do not think that content means what you think it means.
>
> The original poster here wanted to find any one of the bytes listed in his
> expression there. Your suggested content clause will require all of them, in
> sequence - such that it would only match on:
>
> BE EF .. 07 17 27 37 47 57 67 77 87 97 A7 B7 C7 D7 E7 F7
>
> Which is clearly not the intent here.
>
> Alex Kirk
> Research Analyst
> Sourcefire, Inc.
>
> On Wed, Jan 7, 2009 at 1:17 PM, Bachelor, Stephen A CTR USSOCOM HQ <
> Stephen.Bachelor.ctr () socom mil> wrote:
>
> > I've never seen a quantifier used for exactly one of anything before.
> > Plus, given the relative speed of PCRE and the fact that you're not
> > actually doing anything requiring regex, I'd replace
> > 'pcre:"/^.{1}(|\x07|\x17|\x27|\x37|\x47|\x57|\x67|\x77|\x87|\x97|\xA7|\x
> > B7|\xC7|\xD7|\xE7|\xF7)/iR"' with 'content:" |07 17 27 37 47 57 67 77 87
> > 97 A7 B7 C7 D7 E7 F7|"; distance 1;'
> >
> > -----Original Message-----
> > From: Document Retention [mailto:document.retention () gmail com]
> > Sent: Wednesday, January 07, 2009 12:48 PM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] problems with Rule using PCRE
> >
> > Greetings,
> >
> >
> > I am having an issue with false positives for a rule using PCRE.
> >
> >
> > alert tcp any any ( content:"|BE EF|"; depth:2;
> > pcre:"/^.{1}(|\x07|\x17|\x27|\x37|\x47|\x57|\x67|\x77|\x87|\x97|\xA7|\xB
> > 7|\xC7|\xD7|\xE7|\xF7)/iR"
> >
> > sudo :  make sure it is beef, then match anything for 1 byte, then match
> > these hex values relative to last match.
> >
> >
> > I am trying to match the 4th byte in ( offset 3 ).
> >
> >
> > data :  BE EF 01 07 .......    should trigger rule
> >
> > However, It seems as thought the pcre will continue to look through the
> > rest of the packet (until the end)
> >
> >
> > How can I get it to look only at the 4th byte ?
> >
> >
> > Any help would be greatly appreciated.
> >
> >
> > Thanks,
> >
> >
> > DR
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Check out the new SourceForge.net Marketplace.
> > It is the best place to buy or sell services for
> > just about anything Open Source.
> > http://p.sf.net/sfu/Xq1LFB
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users