Snort mailing list archives

Re: PCRE and uricontent anchor

From: Joel Esler <joel.esler () me com>
Date: Fri, 26 Mar 2010 18:13:38 -0400

You can leave them out, unless you are looking for a particular method for a specific reason, as the original poster 
was.

Joel

On Mar 26, 2010, at 4:01 PM, evejou wrote:

Would the "POST" content result in an undue number of partial matches? Just wondering, as I have heard several 
reactions that using thousands of signatures that using HTTP commands like "HEAD" and "POST" can really slow a 
machine down.



On Fri, Mar 26, 2010 at 2:52 PM, evilghost () packetmail net <evilghost () packetmail net> wrote:
There's no reason that Joel's wouldn't work but like all things there's
multiple solutions.  I'd write it like this:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Evil stuff";
flow:established,to_server; content:"POST"; nocase; http_method;
uricontent:".aspx?id="; nocase; pcre:"/\.aspx\?id=\d+$/Ui"; classtype:
bad-unknown; sid:2010xxx; rev:1;)

Please note the preceding period in ".aspx" uricontent match as well as
the PCRE and the end of string/buffer anchor in the URI constrained PCRE
which matches the cast of the id= query_string.

Hope this helped.  Replace $HTTP_PORTS with 443 if you're really only
concerned with an HTTPS endpoitn.

-evilghost

Curt Shaffer wrote:

I am attempting to write a rule that would capture a POST event to a url with a specific file. Here is an example:

https://www.example.com/abc.aspx?id=459184950

The id section is always different. We also want to look for any similar POSTS to any address. With that in mind, 
here is the basis of what we came up with.

alert tcp $home_net any -> $external_net 443 (msg:"Bad stuff potentially going on"; pcre:"a.\.aspx\?id=.*"; 
classtype: trojan-activity; sid:10000015; rev:1;)

My question is, I suppose can we use a pcre match with no content or uricontent anchor, but that would be a pretty 
slow rule most likely. Does anyone have a suggestion on how I could anchor this to make it more efficient?

Thanks

Curt
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs



-- 
---
girl () techn0ev3 net

Finché c'è vita, c'è speranza.
As long as there is life, there is hope. 
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


--
Joel Esler
http://blog.joelesler.net

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

Current thread:

Re: PCRE and uricontent anchor, (continued)
- - - Re: PCRE and uricontent anchor Joel Esler (Mar 26)
    - Re: PCRE and uricontent anchor Curt Shaffer (Mar 26)
    - Re: PCRE and uricontent anchor Curt Shaffer (Mar 26)
- Re: PCRE and uricontent anchor evilghost () packetmail net (Mar 26)
  - Re: PCRE and uricontent anchor Joel Esler (Mar 26)
  - Re: PCRE and uricontent anchor evejou (Mar 26)
    - Re: PCRE and uricontent anchor evilghost () packetmail net (Mar 26)
    - Re: PCRE and uricontent anchor Joel Esler (Mar 26)
    - Re: PCRE and uricontent anchor evilghost () packetmail net (Mar 26)
    - Re: PCRE and uricontent anchor Joel Esler (Mar 26)
    - Re: PCRE and uricontent anchor Joel Esler (Mar 26)