Snort mailing list archives
Re: PCRE and normalized content
From: "Rodrigo Montoro(Sp0oKeR)" <spooker () gmail com>
Date: Wed, 13 Jan 2010 22:08:52 -0200
Paul, I think you should read snort manual =) Table 3.8: Snort specific modifiers for pcre R Match relative to the end of the last pattern match. (Similar to distance:0;) U Match the decoded URI buffers (Similar to uricontent and http uri) P Match normalized HTTP request body (Similar to http client body) H Match normalized HTTP request header (Similar to http header) M Match normalized HTTP request method (Similar to http method) C Match normalized HTTP request cookie (Similar to http cookie) B Do not use the decoded buffers (Similar to rawbytes) O Override the configured pcre match limit for this expression (See section 2.1.3) Anyway this rules will fail with a simples and 1<2 . I tried once to write a rules but there are to many ways to write the same query take a look at this thread http://lists.emergingthreats.net/pipermail/emerging-sigs/2008-June/000698.html Anyway I don't thing this list is about writing new rules =) Regards, On Wed, Jan 13, 2010 at 9:52 PM, Paul Schmehl <pschmehl_lists () tx rr com> wrote:
This string: %20%61%6E%64%20%31%3D%31 equals this string: ' and 1=1' after normalization. You can pick this up in a rule by using uricontent instead of content. But what do you do about PCRE? Is there a way to get PCRE to match against normalized content? Or will it only match against non-normalized content? I'm working on sql injection rules and using the following pcre: pcre:"/and\s(\d+)=\1/"; It works fine on 1=1 or 54=54, but fails on %31%3D%31, apparently because it's attempting to match against the non-normalized content. -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- PCRE and normalized content Paul Schmehl (Jan 13)
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)
- Message not available
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)
- Message not available
- Re: PCRE and normalized content Paul Schmehl (Jan 13)
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)
- Re: PCRE and normalized content Paul Schmehl (Jan 13)
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)