Snort mailing list archives
Re: PCRE and normalized content
From: "Rodrigo Montoro(Sp0oKeR)" <spooker () gmail com>
Date: Wed, 13 Jan 2010 23:41:54 -0200
My bad =) What I wanna say its about write basic rules without read the manual before . Long life snort drinking games http://blog.joelesler.net/the-snort-drinking-game Regards, On Wed, Jan 13, 2010 at 11:17 PM, Jason Brvenik <jason.brvenik () sourcefire com> wrote:
Why wouldn't the list be about new rules? All things rules? Anything relating to rules? (Because it has -sigs?) I think we need to talk more about the snort sigs on money. . . On Jan 13, 2010 7:15 PM, "Rodrigo Montoro(Sp0oKeR)" <spooker () gmail com> wrote: Paul, I think you should read snort manual =) Table 3.8: Snort specific modifiers for pcre R Match relative to the end of the last pattern match. (Similar to distance:0;) U Match the decoded URI buffers (Similar to uricontent and http uri) P Match normalized HTTP request body (Similar to http client body) H Match normalized HTTP request header (Similar to http header) M Match normalized HTTP request method (Similar to http method) C Match normalized HTTP request cookie (Similar to http cookie) B Do not use the decoded buffers (Similar to rawbytes) O Override the configured pcre match limit for this expression (See section 2.1.3) Anyway this rules will fail with a simples and 1<2 . I tried once to write a rules but there are to many ways to write the same query take a look at this thread http://lists.emergingthreats.net/pipermail/emerging-sigs/2008-June/000698.html Anyway I don't thing this list is about writing new rules =) Regards, On Wed, Jan 13, 2010 at 9:52 PM, Paul Schmehl <pschmehl_lists () tx rr com> wrote: > This string: %20%... -- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker ------------------------------------------------------------------------------ Throughout its 18-ye...
-- Rodrigo Montoro (Sp0oKeR) http://www.spooker.com.br http://www.twitter.com/spookerlabs http://www.linkedin.com/in/spooker ------------------------------------------------------------------------------ Throughout its 18-year history, RSA Conference consistently attracts the world's best and brightest in the field, creating opportunities for Conference attendees to learn about information security's most important issues through interactions with peers, luminaries and emerging and established companies. http://p.sf.net/sfu/rsaconf-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- PCRE and normalized content Paul Schmehl (Jan 13)
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)
- Message not available
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)
- Message not available
- Re: PCRE and normalized content Paul Schmehl (Jan 13)
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)
- Re: PCRE and normalized content Paul Schmehl (Jan 13)
- Re: PCRE and normalized content Rodrigo Montoro(Sp0oKeR) (Jan 13)