Re: Enquiry on PCRE

[yew chuan Ong <yewchuan_23 () yahoo com>]

Ic ic... Thanks a lot for the sharing. =)


Regards
YC

________________________________
 From: Jamie Riden <jamie.riden () gmail com>
To: yew chuan Ong <yewchuan_23 () yahoo com> 
Cc: Alex Kirk <akirk () sourcefire com>; "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net> 
Sent: Wednesday, June 20, 2012 8:06 PM
Subject: Re: [Snort-sigs] Enquiry on PCRE
 
pcre:"/^[^\x3a\x3f]{11,}\x3a\x2f/Usmi"

first ^ - anchor to the start
second ^, in the context of [^\x3a\x3f] - this is like [^ab] - which
means anything except a or b.

this is probably what's confusing matters, for example /^[^a]/ means a
string starting with anything except a.

{11,} is at least 11 of. then a \x3a\2f  (:/)

cheers,
Jamie

On 20 June 2012 13:00, yew chuan Ong <yewchuan_23 () yahoo com> wrote:
> Why it is anything EXCEPT a ":" or a "?"? Where is the keyword? =)
>
> ________________________________
> From: Alex Kirk <akirk () sourcefire com>
> To: yew chuan Ong <yewchuan_23 () yahoo com>
> Cc: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net>
> Sent: Wednesday, June 20, 2012 7:12 PM
> Subject: Re: [Snort-sigs] Enquiry on PCRE
>
> It's anything except a ":" or a "?", 11 or more times, followed by ":/".
> Note that the whole thing is anchored to the start of the URL by the leading
> "^".
>
> On Tue, Jun 19, 2012 at 11:08 PM, yew chuan Ong <yewchuan_23 () yahoo com>
> wrote:
>
> Hi Guys,
>
> I am kind of confuse with the pcre in this rule:
> pcre:"/^[^\x3a\x3f]{11,}\x3a\x2f/Usmi"
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
> Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt";
> flow:to_server,established; content:"|3A|/"; offset:11; http_uri;
> pcre:"/^[^\x3a\x3f]{11,}\x3a\x2f/Usmi"; reference:bugtraq,9581;
> reference:cve,2004-0039; reference:nessus,12084; classtype:attempted-admin;
> sid:2381; rev:15;)
>
> Does it mean that the payload should have ":?" appeared for at least 11
> times and following with ":/"?
> Thanks!
>
>
> Regards
> YC
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
> --
> Alex Kirk
> AEGIS Program Lead
> Sourcefire Vulnerability Research Team
> +1-410-423-1937
> alex.kirk () sourcefire com
>
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Jamie Riden / jamie () honeynet org / jamie.riden () gmail com
http://uk.linkedin.com/in/jamieriden

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!