Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Content-prefixed PCREs

From: Joel Esler via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 23 Feb 2022 16:05:33 -0500
No, this is a good thing.  The content gives the engine a place to do the initial match in the packet contents.  The 
regex is anchored on the content in order to execute faster and reduce false positives.  This is the way rules SHOULD 
be written. 

— 
Sent from my  iPhone


On Feb 23, 2022, at 16:00, Danilo Sartori <lds () gmx it> wrote:

Hi there,

I've noticed that many signatures have a design pattern made of a
content followed by a pcre having that same content as a prefix, just
like the following:


alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (
msg:"SERVER-WEBAPP SolarWinds Network Configuration Manager remote
file include attempt"; flow:to_server,established; http_uri;
content:"/Orion/NCM/Admin/S
ettings/VulnerabilitySettings.aspx",fast_pattern,nocase;
http_client_body; content:"txtUrl=",nocase;
pcre:"/txtUrl=[^&]*?(https?|ftp)(%(25)?3a|\x3a)(%(25)?2f|\x2f)/im";
metadata:policy max-detect-ips drop,polic
y security-ips drop; service:http; reference:cve,2020-27871;
classtype:web-application-attack; sid:58589; rev:1; )

In principle this looks like a bad choice because the literal content
might be stripped out of the regexp imposing the sequentiality with:


pcre:"/^[^&]*?(https?|ftp)(%(25)?3a|\x3a)(%(25)?2f|\x2f)/imR";

Maybe there is a good reason for such a common practice?


Thanks

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: