Snort mailing list archives
Re: Signature question
From: Matt Olney <molney () sourcefire com>
Date: Thu, 4 Feb 2010 10:29:29 -0500
Joel is correct. For example, for the following (redacted) packet:
04/02-10:09:43.244152 10.4.12.226:53584 -> 10.4.10.7:5101
TCP TTL:128 TOS:0x0 ID:1232 IpLen:20 DgmLen:145 DF
***AP*** Seq: 0xA9052295 Ack: 0x3C96BE21 Win: 0xFB TcpLen: 20
59 4D 53 47 00 0F 00 00 00 55 00 4B 00 00 00 16 YMSG.....U.K....
DC 52 A5 15 34 39 C0 80 54 59 50 49 4E 47 C0 80 .R..49..TYPING..
The following (sloppy, most likely wrong in some way) rules are all equivalent:
alert tcp any any -> any any (msg:"Content based distance/within";
content:"YMSG"; content:"TYPING"; distance: 20; within: 6; classtype:
attempted-admin; sid: 1;)
alert tcp any any -> any any (msg:"Content based offset/depth";
content:"YMSG"; content:"TYPING"; offset: 24; depth: 6; classtype:
attempted-admin; sid: 2;)
alert tcp any any -> any any (msg:"pcre based distance/within";
content:"YMSG"; pcre:"/^.{20}TYPING/R"; classtype: attempted-admin;
sid: 3;)
alert tcp any any -> any any (msg:"pcre based offset/depth";
content:"YMSG"; pcre:"/^.{24}TYPING/"; classtype: attempted-admin;
sid: 4;)
[molney@vrt-app-01 ~]$ stest yahoo_in.pcap -l
Snort Test Suite v.0.3.0
Alerts:
1:1:0 Content based distance/within
Alerts: 2
1:2:0 Content based offset/depth
Alerts: 2
1:3:0 pcre based distance/within
Alerts: 2
1:4:0 pcre based offset/depth
Alerts: 2
Hope that makes sense,
Matt
On Thu, Feb 4, 2010 at 10:01 AM, Joel Esler <jesler () sourcefire com> wrote:
No, you can use the "R" pcre modifier which makes the pcre 'relative' to the last content match. You can't use depth, offset, distance, or within with pcre. J On Thu, Feb 4, 2010 at 8:01 AM, spiffy pickle <spiffypickle () gmail com> wrote:Hello everyone, I have a question using pcre with depth, offset, distance, and within qualifiers. I can't seem to find any documentation pointing one way or the other. Can you use those qualifiers with pcre? Does the pcre engine care about the where the content match pointer is pointing? Much thanks, SP ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Joel Esler ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Signature question spiffy pickle (Feb 04)
- Re: Signature question Joel Esler (Feb 04)
- Re: Signature question Matt Olney (Feb 04)
- Re: Signature question Joel Esler (Feb 04)