Snort mailing list archives
Re: problems with Rule using PCRE
From: "Document Retention" <document.retention () gmail com>
Date: Wed, 7 Jan 2009 14:03:33 -0500
:) Indeed Alex....! Thank you for your help on this.... I was pulling my hair out on this :) Regards, DR On Wed, Jan 7, 2009 at 1:50 PM, Alex Kirk <akirk () sourcefire com> wrote:
I do not think that content means what you think it means. The original poster here wanted to find any one of the bytes listed in his expression there. Your suggested content clause will require all of them, in sequence - such that it would only match on: BE EF .. 07 17 27 37 47 57 67 77 87 97 A7 B7 C7 D7 E7 F7 Which is clearly not the intent here. Alex Kirk Research Analyst Sourcefire, Inc. On Wed, Jan 7, 2009 at 1:17 PM, Bachelor, Stephen A CTR USSOCOM HQ < Stephen.Bachelor.ctr () socom mil> wrote:I've never seen a quantifier used for exactly one of anything before. Plus, given the relative speed of PCRE and the fact that you're not actually doing anything requiring regex, I'd replace 'pcre:"/^.{1}(|\x07|\x17|\x27|\x37|\x47|\x57|\x67|\x77|\x87|\x97|\xA7|\x B7|\xC7|\xD7|\xE7|\xF7)/iR"' with 'content:" |07 17 27 37 47 57 67 77 87 97 A7 B7 C7 D7 E7 F7|"; distance 1;' -----Original Message----- From: Document Retention [mailto:document.retention () gmail com] Sent: Wednesday, January 07, 2009 12:48 PM To: snort-users () lists sourceforge net Subject: [Snort-users] problems with Rule using PCRE Greetings, I am having an issue with false positives for a rule using PCRE. alert tcp any any ( content:"|BE EF|"; depth:2; pcre:"/^.{1}(|\x07|\x17|\x27|\x37|\x47|\x57|\x67|\x77|\x87|\x97|\xA7|\xB 7|\xC7|\xD7|\xE7|\xF7)/iR" sudo : make sure it is beef, then match anything for 1 byte, then match these hex values relative to last match. I am trying to match the 4th byte in ( offset 3 ). data : BE EF 01 07 ....... should trigger rule However, It seems as thought the pcre will continue to look through the rest of the packet (until the end) How can I get it to look only at the 4th byte ? Any help would be greatly appreciated. Thanks, DR ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- problems with Rule using PCRE Document Retention (Jan 07)
- Re: problems with Rule using PCRE Bachelor, Stephen A CTR USSOCOM HQ (Jan 07)
- Message not available
- Re: problems with Rule using PCRE Document Retention (Jan 07)
- Message not available
- Re: problems with Rule using PCRE Bachelor, Stephen A CTR USSOCOM HQ (Jan 07)
- Re: problems with Rule using PCRE Matt Olney (Jan 07)
- Re: problems with Rule using PCRE Matt Olney (Jan 07)
- Re: problems with Rule using PCRE rmkml (Jan 07)
- Re: problems with Rule using PCRE Matt Olney (Jan 07)
- Re: problems with Rule using PCRE Patrick Mullen (Jan 07)
- Re: problems with Rule using PCRE Nigel Houghton (Jan 07)