Re: problems with Rule using PCRE

["Bachelor, Stephen A CTR USSOCOM HQ" <Stephen.Bachelor.ctr () socom mil>]

I've never seen a quantifier used for exactly one of anything before.
Plus, given the relative speed of PCRE and the fact that you're not
actually doing anything requiring regex, I'd replace
'pcre:"/^.{1}(|\x07|\x17|\x27|\x37|\x47|\x57|\x67|\x77|\x87|\x97|\xA7|\x
B7|\xC7|\xD7|\xE7|\xF7)/iR"' with 'content:" |07 17 27 37 47 57 67 77 87
97 A7 B7 C7 D7 E7 F7|"; distance 1;'

-----Original Message-----
From: Document Retention [mailto:document.retention () gmail com] 
Sent: Wednesday, January 07, 2009 12:48 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] problems with Rule using PCRE

Greetings,


I am having an issue with false positives for a rule using PCRE.


alert tcp any any ( content:"|BE EF|"; depth:2;
pcre:"/^.{1}(|\x07|\x17|\x27|\x37|\x47|\x57|\x67|\x77|\x87|\x97|\xA7|\xB
7|\xC7|\xD7|\xE7|\xF7)/iR"

sudo :  make sure it is beef, then match anything for 1 byte, then match
these hex values relative to last match.


I am trying to match the 4th byte in ( offset 3 ).


data :  BE EF 01 07 .......    should trigger rule

However, It seems as thought the pcre will continue to look through the
rest of the packet (until the end)


How can I get it to look only at the 4th byte ?


Any help would be greatly appreciated.


Thanks,


DR


------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users