Re: PCRE Signature Problem

[Y M <snort () outlook com>]

If you are simply practicing pcre in Snort rules, then I would suggest reading on the pcre syntax and the pcre format 
in Snort's documentation, things like escape characters, modifiers, etc.

If you are writing the signature for production detection, then the case you are addressing can be tailored without 
pcre as others have noted.



On Wed, Aug 3, 2016 at 11:33 PM -0700, "Andrey Silversburg" <andrey.silversburg () gmail com<mailto:andrey.silversburg 
() gmail com>> wrote:

Greetings, Snort Users

I want to detect some portion contents from HTTP form using this rule in snort, but it seems snort cannot detect it. 
This is my rule

alert tcp any any -> $HOME_NET 80 (msg:"Web Attack !"; sid:100000008; flow:to_server,established; content:"POST"; 
http_method; pcre:"/mouse/Usmix"; http_client_body; rev:1;)

I read from Snort Users Manual how to catch HTTP content but it seems snort only capture some part of the content. I 
try to analyze it using wireshark. CMIIW, I'm guessing there is some "whitespace" that make my PCRE rule not work. Is 
there any wrong rule from my rules ?.

This is from my snort -V

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.8.3 GRE (Build 383)
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/contact#team
           Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved.
           Copyright (C) 1998-2013 Sourcefire, Inc., et al.
           Using libpcap version 1.4.0
           Using PCRE version: 8.37 2015-04-28
           Using ZLIB version: 1.2.8


------------------------------------------------------------------------------

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!