Re: Adding Regex into Snort rule

["Nicholas Mavis (nmavis)" <nmavis () cisco com>]

Charlie,

It is also important to note that while a rule may appear more “advanced" using a PCRE, that is not always the case. I 
would define an advanced rule as something that is not prone to false positives and at the same time yields very good 
performance within Snort. PCRE’s are the most expensive rule option and should only be used if necessary. Typically, a 
good rule option for dealing with buffer overflows instead of using a pcre would be “isdataat”.

Just keep in mind that while something may look more “advanced", that doesn’t mean it is.

-Nick

From: Charlie Egan <chas5873 () gmail com<mailto:chas5873 () gmail com>>
Date: Sunday, June 15, 2014 at 10:25 AM
To: Nathan Fowler <nathan () packetmail net<mailto:nathan () packetmail net>>
Cc: "snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>" <snort-sigs () lists sourceforge 
net<mailto:snort-sigs () lists sourceforge net>>
Subject: Re: [Snort-sigs] Adding Regex into Snort rule

Thanks for the reply Nathan,

I'm actually a beginner when it comes to Snort and regex's. I was thinking of just adding something a long the lines of 
pcre:".{90,}"; because anything with that amount of characters is bound to be a buffer overflow in this case if I'm 
correct?

This is for a project I'm currently doing, so the more advanced I can make my rules the better, although I definitely 
need to do a bit more research as the stuff about the HTTP POST to a 8-byte hex URI has confused me haha.

Cheers




On Sun, Jun 15, 2014 at 2:58 AM, Nathan Fowler <nathan () packetmail net<mailto:nathan () packetmail net>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/14/14 16:51, Charlie Egan wrote:
> When I'm reloading Snort after adding my regex, it's not loading
> and giving me an error. If anyone could point me in the right
> direction of what the problem is, it would be much appreciated!

Mind sharing your PCRE?  Are you also using the / delimeters?

Here's an example, lets say I want to detect on HTTP POST to an 8-byte
hex URI, I would do this:

content:"POST"; http_method; urilen:9,norm; pcre:"/^\/[A-Fa-f0-9]{8}$/U";

This help?

Cheers,
Nathan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTnP3gAAoJEH0PSwc3CF1w2GQQAKdy4F2Z+EQnMcT6NmdVNtlf
FkJzhEyl3R5qSMC04IJkF0fXqoSA/2vgT03nlyAffpMVAl7+TjyfyPFbYiTcdwnH
ZZ1Nqit/cYLYRqgp7bVEdsyAK+E1al8f3c4NJ4BsNzgYl2A6ZHPDmomjFPjqGtqo
//8K4jL4/GUkaNf3Kr8sS4Z+EJXB9loGpmaMkIqncuICVpZbCfX+CY8DECoXXFOf
tP8a4egCNdBhZ1G8uXAOkXNOas9yOFaSi1S7A4YSapqnmULPIPxj+eay3N2ysuht
xH+PSMI9SDxLMD2yfkPPup9MCRfE76EnqLqZHneq39wO5PdKjDbD9MqOzLtzUzXn
yzmVu+J2aLqdqf4fpe/yiGdpXcxNa8nllSmWhXV+d8A/EykUDDs9qk2nTe0de2xg
SsBL2DcOYBDrWqtGjaXJtbrAP0Rl0XSUkitFHxFTdHQVRYbvPB8nQGe9rJonw14u
q+6e3q/6xLRKEOHkMcyHa94ENExio2E15qPLBntYHrGbbmFhgfDty8KrKookR2z9
xUJMzbLF9Y/IqZqTVtoEkorzyfdCLJuJr4VUv8+Jk0GgAbJZAzdIS5cRRJ1IZqmZ
dlsi8DU15FEcohs600sDI0Mkq91JroWQE9B1KqsmmrBSf/JRzLnVF5aa1VzNQLig
IS7I2jp/cS4iXrrnlZAX
=20f1
-----END PGP SIGNATURE-----



------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!