Snort mailing list archives
Re: Looking for HTTP POST's over 1mb in size
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Fri, 9 Apr 2010 08:02:11 -0500
Of course they both work; this should not be a surprise. A colon doesn't need to be escaped in a PCRE and if you escape it, it doesn't change the way the PCRE engine sees it since it isn't a special character. Heck, you could escape all non-special characters and everything would work just fine. It's how escaping works. When thinking about a colon in a PCRE, I'd encourage all to apply the Alcatraz rule ... no escape :) -L0rd Ch0de1m0rt On 4/8/10, Matt Olney <molney () sourcefire com> wrote:
Actually (don't ask me why)...they both work: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with colon"; pcre:"/User-Agent:/H"; classtype: attempted-admin; sid: 33333;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with colon escaped"; pcre:"/User-Agent\:/H"; classtype: attempted-admin; sid: 33334;) Alerts: 1:33333:0 PCRE with colon Alerts: 2 1:33334:0 PCRE with colon escaped Alerts: 2 [HTTP_HEADER BUFFER DATA (0x8ac90a0)]: 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 42 4e 65 User-Agent: CBNe 74 44 61 74 61 53 65 74 0d 0a 48 6f 73 74 3a 20 tDataSet..Host: 73 65 67 6d 65 6e 74 2e 70 77 30 38 2e 69 63 69 segment.pw08.ici 62 61 2e 63 6f 6d 0d 0a 43 61 63 68 65 2d 43 6f ba.com..Cache-Co 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 32 ntrol: max-age=2 35 39 32 30 30 0d 0a 56 69 61 3a 20 31 2e 30 20 59200..Via: 1.0 50 52 4f 58 59 0d 0a 43 6f 6e 6e 65 63 74 69 6f PROXY..Connectio 6e 3a 20 63 6c 6f 73 65 0d 0a 0d n: close... Matt (Who has been stupid busy, but is still listening) 2010/4/8 L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>I disagree. Unless snort is not PCRE compatible (which it seems they should be based on the acronym), you don't have to escape the colon in this context for a pcre check. Cheers, -L0rd Ch0de1m0rt On Thu, Apr 8, 2010 at 7:46 PM, 김무성 <kimms () infosec co kr> wrote:Missed escape : \ You have to write this pcre:"/^Content-Length\:\s*[0-9]{7,}$/i"; or pcre:"/^Content-Length\x3a\s*[0-9]{7,}$/i";
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Re: [Snort-sigs] Looking for HTTP POST's over 1mb in size JOSH RIVEL, BLOOMBERG/ 731 LEXIN (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size 김무성 (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size L0rd Ch0de1m0rt (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size Matt Olney (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size Alex Kirk (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size Matt Olney (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size 김무성 (Apr 08)
- Re: Looking for HTTP POST's over 1mb in size L0rd Ch0de1m0rt (Apr 09)
- Re: Looking for HTTP POST's over 1mb in size evilghost () packetmail net (Apr 08)