Adding Regex into Snort rule

[Charlie Egan <chas5873 () gmail com>]

Hi guys,

I'm trying to write a rule which detects a buffer overflow exploit to a web
server which I'm running on a Windows XP VM. After looking at the hex dump
in Wireshark after firing off the exploit I was able to take some of the
content so Snort detects it, although I'm wanting to add a regex into the
rule as well to make it more advanced.

http://oi59.tinypic.com/2ptqibl.jpg - Hex dump from Wireshark

http://oi60.tinypic.com/flkeaq.jpg - Exploit code

alert tcp any any -> any any (msg:"Buffer Overflow Attempt"; content:"|90
90 90 90 90 90 90 90|"; flow:to_server,established; classtype:misc-attack;
sid:1000001; rev:1;)

Now to my understanding, regex's are added into Snort rules by using a pcre
command? So I would add into say before the content section of the rule;

pcre:"regex here";

When I'm reloading Snort after adding my regex, it's not loading and giving
me an error. If anyone could point me in the right direction of what the
problem is, it would be much appreciated!

Cheers

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!