Snort mailing list archives
Re: Issue with pcre
From: Sean Cavanaugh <sean.cavanaugh () ll mit edu>
Date: Mon, 6 Oct 2014 17:10:02 -0400
Thank you Nate, your suggested changes appear to have worked! Only thing it complained about was using fast_pattern:only. I removed the "only" part and it accepted the rule.
Thanks again for your help! -Sean On 10/06/2014 04:41 PM, lists () packetmail net wrote:
On 10/06/2014 03:35 PM, Sean Cavanaugh wrote:Good afternoon all, I am relatively new to writing Snort sigs and have been having some issues with loading the rule shown below into our Sourcefire IPS, but receive the error message "...unable to parse pcre regex "trackback\/$/EiU". alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Trackback attempt"; flow:established,to_server; content:"POST"; http_method; uricontent:"/trackback/"; nocase; pcre:"\/trackback\/$/EiU"; sid:xxxxxxx;)You're missing the first \x2f, try this: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Trackback attempt"; flow:established,to_server; content:"POST"; http_method; content:"/trackback/"; http_uri; fast_pattern:only; pcre:"/\/trackback\/$/Ui"; classtype:bad-unknown; sid:xxxxxxx;) Cheers, Nathan ------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Issue with pcre Sean Cavanaugh (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Sean Cavanaugh (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Joel Esler (jesler) (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Joel Esler (jesler) (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Sean Cavanaugh (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre waldo kitty (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre waldo kitty (Oct 06)
- Re: Issue with pcre lists (Oct 06)