Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] Errors with the Snort manual

From: Mike Cox <mike.cox52 () gmail com>
Date: Thu, 18 Feb 2010 14:12:19 -0600
I fail to see how the PCRE "/ABC.{1}DEF/" maps to "content:"ABC";
content:"DEF"; distance:1;"

The PCRE matches the string "ABC" followed by any single byte (note the
superfluous "{1}" making the PCRE more confusing IMHO) followed by the
string "DEF".  As for the content matches, the first content match matches
the string "ABC".  So far so good.  The second content match skips single
byte and then starts looking to match the string "DEF".  So the string
"ABCDEF" would not match either, the string "ABCXDEF" would match both, and
the string "ABCDXYZDEF" would match the content keywords but not the PCRE.
This disparity in matching makes me question the "mapping" of the PCRE to
the content matches.  Yes, there are strings that will match both but it is
clearly not a 1 to 1 mapping.

-Mike Cox

On Thu, Feb 18, 2010 at 1:58 PM, evilghost () packetmail net <
evilghost () packetmail net> wrote:


You are absolutely correct, this has been resolved in the 2.8.5.1
manual.  Evidently I did report it after all (couldn't remember) or it
was resolved without my reporting.  Thanks Joel.

-evilghost

Joel Esler wrote:

Evilghost,

I have to go off of the current version of the manual, as we put out
corrections and additions to the manual with every version of Snort.

I am looking at the 2.8.5.1 version that is currently on Snort.org,
the REGEX in 3.5.6 reads:
"/ABC.{1}DEF/" and the example is (content:"ABC"; content:"DEF";
distance:1;).
This is correct.

In 3.5.7 it says "This rule constrains the search of EFG to not go
past 10 bytes past the ABC match."

The example is (content:"ABC"; content:"EFG"; within:10;) -- which is
correct.

As for there being no "D".  There is nothing mentioned about the letter

D.


J

On Thu, Feb 18, 2010 at 2:37 PM, evilghost () packetmail net
<mailto:evilghost () packetmail net> <evilghost () packetmail net
<mailto:evilghost () packetmail net>> wrote:

    Hello,

    There was a discussion on ET about some errors in the Snort manual.

 I

    cannot remember if I reported these or not.  The Snort 2.8.4 manual
    appears to be inaccurate or wrong in a few places, specifically:

    Page #114, section 3.5.6, the REGEX used to explain figure 3.16 is
    incorrect.
    Page #114, section 3.5.7, the "10 bytes past the ABCDE match"

verbiage

    is incorrect, there is no "D" in figure 3.17 nor is the explanation

of

    figure 3.17 correct.

    I did not check 2.8.5 but I assume these may persist there as well.

    Thanks
    -evilghost

    _______________________________________________
    Emerging-sigs mailing list
    Emerging-sigs () emergingthreats net
    <mailto:Emerging-sigs () emergingthreats net>
    http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

    Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs
    and Lanyards


http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html





--
Joel Esler
302-223-5974


_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
Lanyards
http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
Previous By Date Next
Previous By Thread Next

Current thread: