Re: PCRE and the Snort-specific modifiers

[Matthew Watchinski <mwatchinski () sourcefire com>]

Opened a bug to evaluate.

Cheers
Matt

Sent from my iPhone

On Aug 13, 2010, at 8:05 PM, Joshua.Kinard () us-cert gov wrote:

> Hi all,
>
> I've got a couple of questions regarding the 'pcre' rule option and  
> its
> modifier stack.  With a 'content' rule option, we cannot mix options
> like 'http_header' and 'http_raw_header', otherwise, Snort throws an
> error.  Does the same apply to using the various Snort-specific URI
> modifiers in 'pcre'?
>
> I.e., should using 'U' (like http_uri) forbid 'I' (like http_raw_uri)?
> Ditto for 'H' & 'D', and 'C' & 'K'.
>
> How about using the 'B' (like rawbytes) modifier?  Again with  
> 'content',
> we cannot use 'rawbytes' and any http_* modifier.  Should the use of  
> 'B'
> forbid the use of 'U', 'I', 'P', 'H', 'D', 'M' , 'C', 'K', 'S', & 'Y'?
> Currently, Snort doesn't enforce any parser check against a rule using
> such a combination.  I've only been testing the parser (and looking at
> the code for the parser for some of these options), so I haven't tried
> validating this against any actual traffic as of yet.
>
> And how is the 'O' modifier used?  Its description in the manual  
> simply
> states that it overrides pcre_match_limit....but with what?  Does it
> simply instruct Snort to just ignore the aforementioned limit, or does
> this modifier take an argument somehow?  I haven't studied the source
> well enough to figure out what this specific modifier is doing.
>
> Also, the manual needs to mention the exclusivity of the  
> 'R' (relative)
> and URI modifiers.  An error condition is thrown when the parser  
> detects
> them used together, but I see no mention in the manual of this check.
> The manual does, however, mention not to use 'R' and 'B' together
> (why?), but the parser does not actually enforce this (which is
> inconsistent).
>
> Thanks!,
>
> --J
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> This SF.net email is sponsored by
>
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> http://p.sf.net/sfu/RIM-dev2dev
> _______________________________________________
> Snort-devel mailing list
> Snort-devel () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

------------------------------------------------------------------------------
This SF.net email is sponsored by 

Make an app they can't live without
Enter the BlackBerry Developer Challenge
http://p.sf.net/sfu/RIM-dev2dev 
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel