Snort mailing list archives
Re: Adding Regex into Snort rule
From: Nathan Fowler <nathan () packetmail net>
Date: Sat, 14 Jun 2014 20:58:57 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/14/14 16:51, Charlie Egan wrote:
When I'm reloading Snort after adding my regex, it's not loading and giving me an error. If anyone could point me in the right direction of what the problem is, it would be much appreciated!
Mind sharing your PCRE? Are you also using the / delimeters?
Here's an example, lets say I want to detect on HTTP POST to an 8-byte
hex URI, I would do this:
content:"POST"; http_method; urilen:9,norm; pcre:"/^\/[A-Fa-f0-9]{8}$/U";
This help?
Cheers,
Nathan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJTnP3gAAoJEH0PSwc3CF1w2GQQAKdy4F2Z+EQnMcT6NmdVNtlf
FkJzhEyl3R5qSMC04IJkF0fXqoSA/2vgT03nlyAffpMVAl7+TjyfyPFbYiTcdwnH
ZZ1Nqit/cYLYRqgp7bVEdsyAK+E1al8f3c4NJ4BsNzgYl2A6ZHPDmomjFPjqGtqo
//8K4jL4/GUkaNf3Kr8sS4Z+EJXB9loGpmaMkIqncuICVpZbCfX+CY8DECoXXFOf
tP8a4egCNdBhZ1G8uXAOkXNOas9yOFaSi1S7A4YSapqnmULPIPxj+eay3N2ysuht
xH+PSMI9SDxLMD2yfkPPup9MCRfE76EnqLqZHneq39wO5PdKjDbD9MqOzLtzUzXn
yzmVu+J2aLqdqf4fpe/yiGdpXcxNa8nllSmWhXV+d8A/EykUDDs9qk2nTe0de2xg
SsBL2DcOYBDrWqtGjaXJtbrAP0Rl0XSUkitFHxFTdHQVRYbvPB8nQGe9rJonw14u
q+6e3q/6xLRKEOHkMcyHa94ENExio2E15qPLBntYHrGbbmFhgfDty8KrKookR2z9
xUJMzbLF9Y/IqZqTVtoEkorzyfdCLJuJr4VUv8+Jk0GgAbJZAzdIS5cRRJ1IZqmZ
dlsi8DU15FEcohs600sDI0Mkq91JroWQE9B1KqsmmrBSf/JRzLnVF5aa1VzNQLig
IS7I2jp/cS4iXrrnlZAX
=20f1
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Adding Regex into Snort rule Charlie Egan (Jun 14)
- Re: Adding Regex into Snort rule Nathan Fowler (Jun 16)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 15)
- Re: Adding Regex into Snort rule Nicholas Mavis (nmavis) (Jun 16)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 22)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 15)
- Re: Adding Regex into Snort rule Nathan Fowler (Jun 16)
- <Possible follow-ups>
- Adding Regex into Snort rule Charlie Egan (Jun 16)