Snort mailing list archives

Previous By Date Next
Previous By Thread Next

PCRE and the Snort-specific modifiers

From: Joshua.Kinard () us-cert gov
Date: Fri, 13 Aug 2010 20:05:34 -0400

Hi all,

I've got a couple of questions regarding the 'pcre' rule option and its
modifier stack.  With a 'content' rule option, we cannot mix options
like 'http_header' and 'http_raw_header', otherwise, Snort throws an
error.  Does the same apply to using the various Snort-specific URI
modifiers in 'pcre'?

I.e., should using 'U' (like http_uri) forbid 'I' (like http_raw_uri)?
Ditto for 'H' & 'D', and 'C' & 'K'.

How about using the 'B' (like rawbytes) modifier?  Again with 'content',
we cannot use 'rawbytes' and any http_* modifier.  Should the use of 'B'
forbid the use of 'U', 'I', 'P', 'H', 'D', 'M' , 'C', 'K', 'S', & 'Y'?
Currently, Snort doesn't enforce any parser check against a rule using
such a combination.  I've only been testing the parser (and looking at
the code for the parser for some of these options), so I haven't tried
validating this against any actual traffic as of yet.

And how is the 'O' modifier used?  Its description in the manual simply
states that it overrides pcre_match_limit....but with what?  Does it
simply instruct Snort to just ignore the aforementioned limit, or does
this modifier take an argument somehow?  I haven't studied the source
well enough to figure out what this specific modifier is doing.

Also, the manual needs to mention the exclusivity of the 'R' (relative)
and URI modifiers.  An error condition is thrown when the parser detects
them used together, but I see no mention in the manual of this check.
The manual does, however, mention not to use 'R' and 'B' together
(why?), but the parser does not actually enforce this (which is
inconsistent).

Thanks!,

--J

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Previous By Date Next
Previous By Thread Next

Current thread: