Re: Understanding within

["lists () packetmail net" <lists () packetmail net>]

On 08/15/12 13:01, James Lay wrote:
> Thanks gents...this does help.  Not to beat a dead horse here...here's 
> the original snippet from the email:
>
> The reference number for this fax is <a 
> href="hxxp://pixeljunks.de/YRmJLNJv/index.html">min1_did12-1345023267-7176853217-25
>
> For things like this should I just forget about the within statement, 
> knowing that:
>
> content:"<a href=|22|http:"; fast_pattern; pcre:"/\x2f[a-z]{8}\x2f/i";
>
> will only match a packet that contains the content AND the pcre?  
> Again...just trying to tighten and optimize as best I can...thanks 
> again.

On the ET side we've got a really good one for this, it's the 8-character
camel-case to index.html check out sid 2014521.

Basically, I'd do the below to re-create the urilen style seen with 2014521 and
avoid being pcre-heavy/pcre-only and ensure the camel-case style they use.

content:"/"; content:"/index.html|22|>"; within:21; fast_pattern;
pcre:"/https?:\/\/[^\x2f]+\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html[^\w]?/";

Thanks,
Nathan


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!