Snort mailing list archives
Re: Adding Regex into Snort rule
From: Charlie Egan <chas5873 () gmail com>
Date: Sun, 15 Jun 2014 15:25:25 +0100
Thanks for the reply Nathan,
I'm actually a beginner when it comes to Snort and regex's. I was thinking
of just adding something a long the lines of pcre:".{90,}"; because
anything with that amount of characters is bound to be a buffer overflow in
this case if I'm correct?
This is for a project I'm currently doing, so the more advanced I can make
my rules the better, although I definitely need to do a bit more research
as the stuff about the HTTP POST to a 8-byte hex URI has confused me haha.
Cheers
On Sun, Jun 15, 2014 at 2:58 AM, Nathan Fowler <nathan () packetmail net>
wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/14/14 16:51, Charlie Egan wrote:When I'm reloading Snort after adding my regex, it's not loading and giving me an error. If anyone could point me in the right direction of what the problem is, it would be much appreciated!Mind sharing your PCRE? Are you also using the / delimeters? Here's an example, lets say I want to detect on HTTP POST to an 8-byte hex URI, I would do this: content:"POST"; http_method; urilen:9,norm; pcre:"/^\/[A-Fa-f0-9]{8}$/U"; This help? Cheers, Nathan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTnP3gAAoJEH0PSwc3CF1w2GQQAKdy4F2Z+EQnMcT6NmdVNtlf FkJzhEyl3R5qSMC04IJkF0fXqoSA/2vgT03nlyAffpMVAl7+TjyfyPFbYiTcdwnH ZZ1Nqit/cYLYRqgp7bVEdsyAK+E1al8f3c4NJ4BsNzgYl2A6ZHPDmomjFPjqGtqo //8K4jL4/GUkaNf3Kr8sS4Z+EJXB9loGpmaMkIqncuICVpZbCfX+CY8DECoXXFOf tP8a4egCNdBhZ1G8uXAOkXNOas9yOFaSi1S7A4YSapqnmULPIPxj+eay3N2ysuht xH+PSMI9SDxLMD2yfkPPup9MCRfE76EnqLqZHneq39wO5PdKjDbD9MqOzLtzUzXn yzmVu+J2aLqdqf4fpe/yiGdpXcxNa8nllSmWhXV+d8A/EykUDDs9qk2nTe0de2xg SsBL2DcOYBDrWqtGjaXJtbrAP0Rl0XSUkitFHxFTdHQVRYbvPB8nQGe9rJonw14u q+6e3q/6xLRKEOHkMcyHa94ENExio2E15qPLBntYHrGbbmFhgfDty8KrKookR2z9 xUJMzbLF9Y/IqZqTVtoEkorzyfdCLJuJr4VUv8+Jk0GgAbJZAzdIS5cRRJ1IZqmZ dlsi8DU15FEcohs600sDI0Mkq91JroWQE9B1KqsmmrBSf/JRzLnVF5aa1VzNQLig IS7I2jp/cS4iXrrnlZAX =20f1 -----END PGP SIGNATURE-----
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Adding Regex into Snort rule Charlie Egan (Jun 14)
- Re: Adding Regex into Snort rule Nathan Fowler (Jun 16)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 15)
- Re: Adding Regex into Snort rule Nicholas Mavis (nmavis) (Jun 16)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 22)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 15)
- Re: Adding Regex into Snort rule Nathan Fowler (Jun 16)
- <Possible follow-ups>
- Adding Regex into Snort rule Charlie Egan (Jun 16)