Snort mailing list archives
Content-prefixed PCREs
From: Danilo Sartori <lds () gmx it>
Date: Tue, 22 Feb 2022 17:27:58 +0100
Hi there, I've noticed that many signatures have a design pattern made of a content followed by a pcre having that same content as a prefix, just like the following:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( msg:"SERVER-WEBAPP SolarWinds Network Configuration Manager remote file include attempt"; flow:to_server,established; http_uri; content:"/Orion/NCM/Admin/S ettings/VulnerabilitySettings.aspx",fast_pattern,nocase; http_client_body; content:"txtUrl=",nocase; pcre:"/txtUrl=[^&]*?(https?|ftp)(%(25)?3a|\x3a)(%(25)?2f|\x2f)/im"; metadata:policy max-detect-ips drop,polic y security-ips drop; service:http; reference:cve,2020-27871; classtype:web-application-attack; sid:58589; rev:1; )
In principle this looks like a bad choice because the literal content might be stripped out of the regexp imposing the sequentiality with:
pcre:"/^[^&]*?(https?|ftp)(%(25)?3a|\x3a)(%(25)?2f|\x2f)/imR";
Maybe there is a good reason for such a common practice? Thanks _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Content-prefixed PCREs Danilo Sartori (Feb 23)
- Re: Content-prefixed PCREs Joel Esler via Snort-sigs (Feb 23)
- Re: Content-prefixed PCREs Danilo Sartori (Feb 24)
- Re: Content-prefixed PCREs Joel Esler via Snort-sigs (Feb 24)
- Re: Content-prefixed PCREs Danilo Sartori (Feb 24)
- <Possible follow-ups>
- Re: Content-prefixed PCREs Joel Esler via Snort-sigs (Feb 24)
- Re: Content-prefixed PCREs Joel Esler via Snort-sigs (Feb 23)