Content-prefixed PCREs

[Danilo Sartori <lds () gmx it>]

Hi there,

I've noticed that many signatures have a design pattern made of a
content followed by a pcre having that same content as a prefix, just
like the following:

> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
> msg:"SERVER-WEBAPP SolarWinds Network Configuration Manager remote
> file include attempt"; flow:to_server,established; http_uri;
> content:"/Orion/NCM/Admin/S
> ettings/VulnerabilitySettings.aspx",fast_pattern,nocase;
> http_client_body; content:"txtUrl=",nocase;
> pcre:"/txtUrl=[^&]*?(https?|ftp)(%(25)?3a|\x3a)(%(25)?2f|\x2f)/im";
> metadata:policy max-detect-ips drop,polic
> y security-ips drop; service:http; reference:cve,2020-27871;
> classtype:web-application-attack; sid:58589; rev:1; )
In principle this looks like a bad choice because the literal content
might be stripped out of the regexp imposing the sequentiality with:

> pcre:"/^[^&]*?(https?|ftp)(%(25)?3a|\x3a)(%(25)?2f|\x2f)/imR";
Maybe there is a good reason for such a common practice?


Thanks

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!