Snort mailing list archives
Re: sid:2318 invalid pcre match?
From: Will Metcalf <william.metcalf () gmail com>
Date: Fri, 18 Jun 2010 11:38:11 -0500
Cool Thanks Alex! Regards, Will On Fri, Jun 18, 2010 at 11:25 AM, Alex Kirk <akirk () sourcefire com> wrote:
This is actually the conclusion we had just reached over here at SF. The rule has had that PCRE since its initial creation back in December of 2003, and was likely written that way to deal with parser issues present in Snort at the time. We'll update the rule to use a "normal" style delimiter shortly. On Fri, Jun 18, 2010 at 12:22 PM, Crook, Parker <Parker_Crook () reyrey com> wrote:Will, For the rule, I have: alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack; sid:2318; rev:4;) but according to the new Snort manual, on page 142 the format can be: pcre:[!]"(/<regex>/|m<delim><regex><delim>)[ismxAEGRUBPHMCOIDKYS]"; So using ? as the delimeter, this would appear to be a valid pcre, and translated into the usual format: /^Argument\s+\//smi -Parker -----Original Message----- From: Will Metcalf [mailto:william.metcalf () gmail com] Sent: Friday, June 18, 2010 11:50 AM To: Snort Users Subject: [Snort-users] sid:2318 invalid pcre match? Can somebody else verify? It appears that sid:2318 contains an invalid pcre match. At least as far as the snort docs and pcretest are concerned. pcre:"m?^Argument\s+/?smi"; Regards, Will ---------------------------------------------------------------------------- -- ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- sid:2318 invalid pcre match? Will Metcalf (Jun 18)
- Re: sid:2318 invalid pcre match? Crook, Parker (Jun 18)
- Re: sid:2318 invalid pcre match? Alex Kirk (Jun 18)
- Re: sid:2318 invalid pcre match? Will Metcalf (Jun 18)
- Re: sid:2318 invalid pcre match? Will Metcalf (Jun 18)
- Re: sid:2318 invalid pcre match? Alex Kirk (Jun 18)
- Re: sid:2318 invalid pcre match? Crook, Parker (Jun 18)