RE : PCRE Signature Problem

[rmkml <rmkml () ligfy org>]

Hi Andreys, 
You cannot use pcre with http_client_body after. 
What is your target, detecting mouse on Uri or http_client_body ? 
Pcre usage for regular expression needed, not needed for simply detect mouse word. 
Best @Rmkml 



-------- Message d'origine --------
De : Andrey Silversburg <andrey.silversburg () gmail com> 
Date : 04/08/2016  08:28  (GMT+01:00) 
À : snort-sigs () lists sourceforge net 
Objet : [Snort-sigs] PCRE Signature Problem 


    Greetings, Snort Users

    

    I want to detect some portion contents from HTTP form using this
    rule in snort, but it seems snort cannot detect it. This is my rule

    

    alert tcp any any -> $HOME_NET 80 (msg:"Web Attack !";
      sid:100000008; flow:to_server,established; content:"POST";
      http_method; pcre:"/mouse/Usmix"; http_client_body; rev:1;)

    

    I read from Snort Users Manual how to catch HTTP content but it
    seems snort only capture some part of the content. I try to analyze
    it using wireshark. CMIIW, I'm guessing there is some "whitespace"
    that make my PCRE rule not work. Is there any wrong rule from my
    rules ?. 

    

    This is from my snort -V

    

       ,,_     -*> Snort! <*-

      o"  )~   Version 2.9.8.3 GRE (Build 383)

       ''''    By Martin Roesch & The Snort Team:
    http://www.snort.org/contact#team

               Copyright (C) 2014-2015 Cisco and/or its affiliates. All
    rights reserved.

               Copyright (C) 1998-2013 Sourcefire, Inc., et al.

               Using libpcap version 1.4.0

               Using PCRE version: 8.37 2015-04-28

               Using ZLIB version: 1.2.8

    

    

------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!