Re: problems with Rule using PCRE

[rmkml <rmkml () free fr>]

Hi Matt,
Happy New Year again,
why not simplify byte_test like: alert tcp any any -> any any 
(content:"|BE EF|"; byte_test: 1, &, 7, 1, relative;)
tested and work with \x07 \x17 \x27 \x37 \x47 \x57 \x67 \x77 \x87 \x97 \xA7 \xB7 \xC7 \xD7 \xE7 \xF7
Regards
Rmkml
Crusoe-Researches.com

On Wed, 7 Jan 2009, Matt Olney wrote:

> Date: Wed, 7 Jan 2009 13:46:13 -0500
> From: Matt Olney <molney () sourcefire com>
> To: snort-users () lists sourceforge net
> Subject: Re: [Snort-users] problems with Rule using PCRE
>
> I'd probably avoid the PCRE and do it with three bitwise ANDs in byte_tests.
>
> alert tcp any any -> any any (content:"|BE EF|"; byte_test: 1, &, 1,
> 1, relative; byte_test: 1, &, 2, 1, relative; byte_test: 1, &, 4, 1,
> relative; )
>
> But that doesn't really answer your PCRE question.  At first blush the
> PCRE doesn't look complete disfuctional, but I do notice in your
> parens you have (|\x07...  which might cause issues, I'll scround up a
> pcap and see if I can't replicate something and get back to you.
>
> Matt
>
> On Wed, Jan 7, 2009 at 12:48 PM, Document Retention
> <document.retention () gmail com> wrote:
> > Greetings,
> >
> >
> > I am having an issue with false positives for a rule using PCRE.
> >
> >
> > alert tcp any any ( content:"|BE EF|"; depth:2;
> > pcre:"/^.{1}(|\x07|\x17|\x27|\x37|\x47|\x57|\x67|\x77|\x87|\x97|\xA7|\xB7|\xC7|\xD7|\xE7|\xF7)/iR"
> >
> > sudo :  make sure it is beef, then match anything for 1 byte, then match
> > these hex values relative to last match.
> >
> >
> > I am trying to match the 4th byte in ( offset 3 ).
> >
> >
> > data :  BE EF 01 07 .......    should trigger rule
> >
> > However, It seems as thought the pcre will continue to look through the rest
> > of the packet (until the end)
> >
> >
> > How can I get it to look only at the 4th byte ?
> >
> >
> > Any help would be greatly appreciated.
> >
> >
> > Thanks,
> >
> >
> > DR
> >
> > ------------------------------------------------------------------------------
> > Check out the new SourceForge.net Marketplace.
> > It is the best place to buy or sell services for
> > just about anything Open Source.
> > http://p.sf.net/sfu/Xq1LFB
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> ------------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It is the best place to buy or sell services for
> just about anything Open Source.
> http://p.sf.net/sfu/Xq1LFB
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users