Snort mailing list archives
Re: Snort rule for a pattern match?
From: "Lay, James" <james.lay () wincofoods com>
Date: Wed, 27 Mar 2013 08:29:18 -0600
Brian, Yea I'm not sure on that, so I'll defer to the much smarter folks in this group J James From: Shields, Joseph (NIH/NIEHS) [C] [mailto:joseph.shields () nih gov] Sent: Tuesday, March 26, 2013 1:56 PM To: Lay, James; snort-sigs () lists sourceforge net Subject: RE: [Snort-sigs] Snort rule for a pattern match? James, The traffic could be on most any port, though it likely will be web. I think PCRE would be possible if the PERL look ahead with calc capability is supported. I've not seen anything showing this implementation. Namely, (?{ code }). Brian From: Lay, James [mailto:james.lay () wincofoods com] Sent: Tuesday, March 26, 2013 3:29 PM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Snort rule for a pattern match? From: Shields, Joseph (NIH/NIEHS) [C] [mailto:joseph.shields () nih gov] Sent: Tuesday, March 26, 2013 12:02 PM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Snort rule for a pattern match? I'm reposting this question as I have not seen any responses yet. Perhaps this can't be done at this time. Brian I am looking for a pattern that identifies a threat I am tracking and need to write a signature to find it. The problem is that I don't know what the starting character will be but I will always know what the difference between two given characters will be. A simple, human readable, example is: ABCDTSRQ The difference between each character is: [A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is 16 SMALLER than [T] is 1 BIGGER than [S] is 1 BIGGER than [R] is 1 BIGGER than [Q] The pattern in this example is -1,-1,-1,-16,+1,+1,+1. BCDEXWVU would match this pattern and so would HIJKZXYW. How can I write this rule? Brian Brian, What port are we talking here? If this is port 80 then ick, but if it's something obscure it could be as simple as a pcre and we could forego the computations: pcre:"/[A-Z]{7}/"; Got a pcap or is there ANYTHING that's a constant that we can also match on? James
------------------------------------------------------------------------------ Own the Future-Intel® Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 07)
- <Possible follow-ups>
- FW: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 07)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)
- Re: Snort rule for a pattern match? Joel Esler (Mar 26)
- Re: Snort rule for a pattern match? Jamie Riden (Mar 26)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)
- Re: Snort rule for a pattern match? Lay, James (Mar 26)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)
- Re: Snort rule for a pattern match? Lay, James (Mar 27)
- Re: Snort rule for a pattern match? lists () packetmail net (Mar 27)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 27)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 27)
- Re: Snort rule for a pattern match? lists () packetmail net (Mar 27)
- Re: Snort rule for a pattern match? Joel Esler (Mar 27)
- Re: Snort rule for a pattern match? Shields, Joseph (NIH/NIEHS) [C] (Mar 26)