Snort mailing list archives
Re: Adding Regex into Snort rule
From: "Nicholas Mavis (nmavis)" <nmavis () cisco com>
Date: Mon, 16 Jun 2014 21:51:34 +0000
Charlie, It is also important to note that while a rule may appear more “advanced" using a PCRE, that is not always the case. I would define an advanced rule as something that is not prone to false positives and at the same time yields very good performance within Snort. PCRE’s are the most expensive rule option and should only be used if necessary. Typically, a good rule option for dealing with buffer overflows instead of using a pcre would be “isdataat”. Just keep in mind that while something may look more “advanced", that doesn’t mean it is. -Nick From: Charlie Egan <chas5873 () gmail com<mailto:chas5873 () gmail com>> Date: Sunday, June 15, 2014 at 10:25 AM To: Nathan Fowler <nathan () packetmail net<mailto:nathan () packetmail net>> Cc: "snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>" <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> Subject: Re: [Snort-sigs] Adding Regex into Snort rule Thanks for the reply Nathan, I'm actually a beginner when it comes to Snort and regex's. I was thinking of just adding something a long the lines of pcre:".{90,}"; because anything with that amount of characters is bound to be a buffer overflow in this case if I'm correct? This is for a project I'm currently doing, so the more advanced I can make my rules the better, although I definitely need to do a bit more research as the stuff about the HTTP POST to a 8-byte hex URI has confused me haha. Cheers On Sun, Jun 15, 2014 at 2:58 AM, Nathan Fowler <nathan () packetmail net<mailto:nathan () packetmail net>> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/14/14 16:51, Charlie Egan wrote:
When I'm reloading Snort after adding my regex, it's not loading and giving me an error. If anyone could point me in the right direction of what the problem is, it would be much appreciated!
Mind sharing your PCRE? Are you also using the / delimeters? Here's an example, lets say I want to detect on HTTP POST to an 8-byte hex URI, I would do this: content:"POST"; http_method; urilen:9,norm; pcre:"/^\/[A-Fa-f0-9]{8}$/U"; This help? Cheers, Nathan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTnP3gAAoJEH0PSwc3CF1w2GQQAKdy4F2Z+EQnMcT6NmdVNtlf FkJzhEyl3R5qSMC04IJkF0fXqoSA/2vgT03nlyAffpMVAl7+TjyfyPFbYiTcdwnH ZZ1Nqit/cYLYRqgp7bVEdsyAK+E1al8f3c4NJ4BsNzgYl2A6ZHPDmomjFPjqGtqo //8K4jL4/GUkaNf3Kr8sS4Z+EJXB9loGpmaMkIqncuICVpZbCfX+CY8DECoXXFOf tP8a4egCNdBhZ1G8uXAOkXNOas9yOFaSi1S7A4YSapqnmULPIPxj+eay3N2ysuht xH+PSMI9SDxLMD2yfkPPup9MCRfE76EnqLqZHneq39wO5PdKjDbD9MqOzLtzUzXn yzmVu+J2aLqdqf4fpe/yiGdpXcxNa8nllSmWhXV+d8A/EykUDDs9qk2nTe0de2xg SsBL2DcOYBDrWqtGjaXJtbrAP0Rl0XSUkitFHxFTdHQVRYbvPB8nQGe9rJonw14u q+6e3q/6xLRKEOHkMcyHa94ENExio2E15qPLBntYHrGbbmFhgfDty8KrKookR2z9 xUJMzbLF9Y/IqZqTVtoEkorzyfdCLJuJr4VUv8+Jk0GgAbJZAzdIS5cRRJ1IZqmZ dlsi8DU15FEcohs600sDI0Mkq91JroWQE9B1KqsmmrBSf/JRzLnVF5aa1VzNQLig IS7I2jp/cS4iXrrnlZAX =20f1 -----END PGP SIGNATURE-----
------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Adding Regex into Snort rule Charlie Egan (Jun 14)
- Re: Adding Regex into Snort rule Nathan Fowler (Jun 16)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 15)
- Re: Adding Regex into Snort rule Nicholas Mavis (nmavis) (Jun 16)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 22)
- Re: Adding Regex into Snort rule Charlie Egan (Jun 15)
- Re: Adding Regex into Snort rule Nathan Fowler (Jun 16)
- <Possible follow-ups>
- Adding Regex into Snort rule Charlie Egan (Jun 16)