Snort mailing list archives

Re: [AUTO IP] Re: [AUTO IP] Re: Question about content

From: "evilghost () packetmail net" <evilghost () packetmail net>
Date: Tue, 1 Dec 2009 13:45:44 -0600

Paul, the PCRE was used to demonstrate the end of string matching, as 
previously suggested by Matt.  The content match on "GET " with a depth 
of 4 was used to anchor the signature to an HTTP method, since the 
signature offered was used as an example centered around HTTP.  It was 
further suggested that http_method should be used and/or the addition of 
the nocase; argument to ensure non-RFC compliant matching.  The useful 
information was contained in the PCRE, if anything you should be 
screaming about the \d+ instead of just AAAA$, [A]{4}$, or A{4}$ but 
then again, there seems to be little merit to your gripe to begin with.

Ideally I was hoping the OP would reply and better clarify exactly what 
type of data/application they are attempting to inspect so a signature 
with greater precision could be constructed.  What was offered was not 
an answer to homework but sufficient information to craft the necessary 
signature, by example, for the OP's requirements.

In the future I'll be sure to run replies through you since you've been 
a wealth of help to the OP here.  An ip rule with a PCRE-only is going 
to be a costly rule, but I'm sure you already knew that.

-evilghost

Paul Schmehl wrote:

I saw that.  The point is, you didn't come close to answering the OP's 
question.  Forget the assumptions you made, you looked for a word 4 bytes into 
the packet.  That wasn't what he asked for.  He asked how he could find the 
pattern at_the_end_of_the_packet without knowing the packet length.

The rest is irrelevant.

--On Tuesday, December 01, 2009 11:46:04 -0600 evilghost () packetmail net wrote:

Paul, since you failed at reading comprehension, here would be the
*critical* statement I made *before* I supplied the rule, as an example
of how PCRE could be used to detect what the OP has requested:

"Making assumptions about direction, protocol, and content I would try
something like this:"

I do appreciate your gems of wisdom concerning the ip based rule.


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Re: Question about content, (continued)
- - - Re: Question about content evilghost () packetmail net (Dec 01)
    - Re: Question about content Nigel Houghton (Dec 01)
    - Re: Question about content Chris Jacob (Dec 01)
    - Re: Question about content Matt Olney (Dec 01)
    - Re: Question about content evilghost () packetmail net (Dec 01)
    - Re: Question about content Alex Kirk (Dec 01)
    - Re: Question about content Paul Schmehl (Dec 01)
    - Re: [AUTO IP] Re: Question about content evilghost () packetmail net (Dec 01)
    - Re: [AUTO IP] Re: Question about content Paul Schmehl (Dec 01)
    - Re: [AUTO IP] Re: Question about content Matt Olney (Dec 01)
    - Re: [AUTO IP] Re: [AUTO IP] Re: Question about content evilghost () packetmail net (Dec 01)