Re: [help,urgent] Using PCRE to match packets in hex

[waldo kitty <wkitty42 () windstream net>]

On 10/27/2013 3:33 PM, Yoyo Lam wrote:
> I didn't use content since I don't really get how to use it properly, and with
> my programming experience, I am more familiar with regex. And it seems that
> using pcre alone is ok. (not thoroughly tested)

yes you really do need content to match on and then regex performs more checking 
either on the same content or other data in the same buffer...

in your pcre you have "13", "77696e646f7773" and "6c696e7578" that you could use 
content on...

theory eg: content: 13; content: 77696e646f7773; distance: 46; your_pcre_here

if i'm reading your regex properly, you are looking for

   2 characters 0-9 or a-f or A-F
   13
   2 characters 0-9 or a-f or A-F
   the above three parts repeated 8 times
   77696e646f7773 or 6c696e7578

is this correct? if so, the content looking for 13 followed 46 bytes later with 
another content looking for 77696e646f7773 should match on those packets and 
then the pcre would refine the match and fire...

i think you will need two rules the same but with the second content match being 
6c696e7578 to catch those because i'm not aware of a way of specifying OR with 
content... this would also allow you to alter the last part of your pcre to 
contain only one or the other match depending on which rule it is...

eg:

alert tcp any any -> any any (msg:"Some message"; content: 13; content: 
77696e646f7773; distance: 46; 
pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(77696e646f7773)/B"; sid:1234567; 
rev:1;)

alert tcp any any -> any any (msg:"Some message"; content: 13; content: 
77696e646f7773; distance: 46; 
pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(6c696e7578)/B"; sid:1234567; rev:1;)


i've written the above off the top of my head with no testing at all (and no 
data to test against)... i think it will give you what you need to understand 
about content matches... the only other thing is if those parts are character 
strings or if they are byte sequences... if they are by sequences, then the 
content format would change slightly...

another small formatting hint is that you should start the parameters of your 
rules with the MSG section and then follow with your content, pcre, and other 
parameters as needed (references, sid, rev)...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!