Snort mailing list archives
Re: problems with Rule using PCRE
From: "Matt Olney" <molney () sourcefire com>
Date: Wed, 7 Jan 2009 14:53:20 -0500
The reason you have to separate the byte_tests is that any non-zero response passes the byte_test. So if you byte test for 7 against a value of 4: 111 byte_test: 1, &, 7, 1, relative; 100 Last three bits one byte from DOE are equal to 4. === 100 Result returned to the byte_test is 4 You end up (not surprisingly) with 4 which is a non-zero value, and the byte_test evaluation passes. For bitwise &, you need to test each individual bit. So if you're going to look for 4 bit that are exactly 0111, you need to: byte_test: 1, &, 1, 1 relative; byte_test: 1, &, 2, 1 relative; byte_test: 1, &, 4, 1 relative; byte_test: 1, !&, 8, 1 relative; This is ugly, but probably still faster than either of the following PCREs: pcre:"/.(\x07|\x17|\x27|\x37|\x47|\x57|\x67|\x77|\x87|\x97|\xa7|\xb7|\xc7|\xd7|\xe7|\xf7)/sR; or pcre"/.[\x07\x17\x27\x37\x47\x57\x67\x77\x87\x97\xa7\xb7\xc7\xd7\xe7\xf7]/sR"; I think that's right. :) Matt On Wed, Jan 7, 2009 at 11:54 AM, rmkml <rmkml () free fr> wrote:
Hi Matt, Happy New Year again, why not simplify byte_test like: alert tcp any any -> any any (content:"|BE EF|"; byte_test: 1, &, 7, 1, relative;) tested and work with \x07 \x17 \x27 \x37 \x47 \x57 \x67 \x77 \x87 \x97 \xA7 \xB7 \xC7 \xD7 \xE7 \xF7 Regards Rmkml Crusoe-Researches.com On Wed, 7 Jan 2009, Matt Olney wrote:Date: Wed, 7 Jan 2009 13:46:13 -0500 From: Matt Olney <molney () sourcefire com> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] problems with Rule using PCRE I'd probably avoid the PCRE and do it with three bitwise ANDs in byte_tests. alert tcp any any -> any any (content:"|BE EF|"; byte_test: 1, &, 1, 1, relative; byte_test: 1, &, 2, 1, relative; byte_test: 1, &, 4, 1, relative; ) But that doesn't really answer your PCRE question. At first blush the PCRE doesn't look complete disfuctional, but I do notice in your parens you have (|\x07... which might cause issues, I'll scround up a pcap and see if I can't replicate something and get back to you. Matt On Wed, Jan 7, 2009 at 12:48 PM, Document Retention <document.retention () gmail com> wrote:Greetings, I am having an issue with false positives for a rule using PCRE. alert tcp any any ( content:"|BE EF|"; depth:2; pcre:"/^.{1}(|\x07|\x17|\x27|\x37|\x47|\x57|\x67|\x77|\x87|\x97|\xA7|\xB7|\xC7|\xD7|\xE7|\xF7)/iR" sudo : make sure it is beef, then match anything for 1 byte, then match these hex values relative to last match. I am trying to match the 4th byte in ( offset 3 ). data : BE EF 01 07 ....... should trigger rule However, It seems as thought the pcre will continue to look through the rest of the packet (until the end) How can I get it to look only at the 4th byte ? Any help would be greatly appreciated. Thanks, DR ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- problems with Rule using PCRE Document Retention (Jan 07)
- Re: problems with Rule using PCRE Bachelor, Stephen A CTR USSOCOM HQ (Jan 07)
- Message not available
- Re: problems with Rule using PCRE Document Retention (Jan 07)
- Message not available
- Re: problems with Rule using PCRE Bachelor, Stephen A CTR USSOCOM HQ (Jan 07)
- Re: problems with Rule using PCRE Matt Olney (Jan 07)
- Re: problems with Rule using PCRE Matt Olney (Jan 07)
- Re: problems with Rule using PCRE rmkml (Jan 07)
- Re: problems with Rule using PCRE Matt Olney (Jan 07)
- Re: problems with Rule using PCRE Patrick Mullen (Jan 07)
- Re: problems with Rule using PCRE Nigel Houghton (Jan 07)