Re: How to reference a $var in pcre?

[Matt Kettler <mkettler () evi-inc com>]

At 05:10 PM 5/12/2004, Kirk Vogelsang wrote:
> I'm having a bit of trouble getting access to a variable within a pcre
> statement.  For example:
>
> var TEST1 "foo"
> var TEST2 "bar"
>
> alert UDP any any -> any 161 ( sid: 123; rev: 1; msg: "Test";
>   pcre: !"/\b($TEST1|$TEST2)\b/"; classtype: test:)
>
> I'm trying to test the communities of SNMP packets.  If they're not
> what they should be (foo or bar), issue an alert.
>
> Unfortunately, both incorrect and correct packets trigger this alert.
> If I replace $TEST1 and $TEST2 with the actual variable text, it works
> as expected.
>
> How does one reference var's within a pcre statement?

Actually, your question is really "how does one reference variables from 
within a string expression" (pcre, content or uricontent).

As far as I know, the answer is you don't.

You could however do this:

var TEST1 "/\b(foo|bar)\b/"

alert UDP any any -> any 161 ( sid: 123; rev: 1; msg: "Test";  pcre: 
!$TEST1; classtype: test:)

And it should work, but once you're inside the quotes, I don't think you'll 
be able to access var statements.





-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users