Re: Mis-Matching traffic with PCRE Rules

[Joshua Kinard <kumba () gentoo org>]

On 03/08/2013 9:28 AM, Joel Esler wrote:
> On Mar 8, 2013, at 5:43 AM, waseem sarwar <waseemsarwar103 () hotmail com>
> wrote:
>
> > I have a pcre based rule as follow in my rules file,
> >
> > alert udp any any -> any 53 (msg:"MALWARE domain capodeicapi.eu";
> > pcre:"m/capodeicapi.eu/i"; classtype:trojan-activity; sid:5000968;)
>
> Hm.. I'm not sure what you are doing with the "m" in your pcre there..
> but if you are trying to match on a domain name look up, that rule won't
> work.  The "." in a domain name is actually a number.  And it would be
> faster and better to do a content match there.
> content:"capodeicapi|02|eu"; or something like that.

The 'm' is a way to specify an alternate pcre delimiter.  A '/' is default,
so he really doesn't need the 'm' in there, although, I don't think it
should be a problem.

As for the DNS label bit, yeah, he would be better off using a static
content match and include a byte count plus the null terminator, as well as
fast_pattern:only;.

content:"|0b|capodeicapi|02|eu|00|"; fast_pattern:only;

If it's an actual HTTP URL he wanted, he is totally on the wrong transport
protocol and he should enable/use the HTTP preprocessor:

2nd-level domain match in HTTP headers:
content:"Host: capodeicapi.eu"; http_header; fast_pattern:only;

3rd-level match (pcre form):
content:"capodeicapi.eu"; http_header; fast_pattern:only;
pcre:"/Host\x3a\x20.*\x2ecapodeicapi\x2eeu/iH"

Could also do the 3rd-level match w/ two relative contents to avoid the
penalty of the libpcre offload, but that might run into the "Referer" field,
if it repeats that 2nd-level:
content:"Host: "; http_header; content:"capodeicapi.eu"; nocase; distance:0;
http_header;


> > The issue I am facing is that this rule also matches for the domain
> > http://capo.eu which it should not match. I am also facing similar
> > problem with more pcre rules such that they match sub string based url
> > of actual rules . I am using snort version 2.9.1.
>
> First thing I am going to ask you to do is upgrade your version of Snort.
> We are on 2.9.4.1 now, support for 2.9.1 ended about a year ago.  In
> addition to that, I also need to know what version of pcre you have
> installed on the box.

Does Snort depend on the pcre lib installed by the OS, or does it include
its own copy of libpcre in some form?

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester  
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the  
endpoint security space. For insight on selecting the right partner to 
tackle endpoint security challenges, access the full report. 
http://p.sf.net/sfu/symantec-dev2dev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!