Snort mailing list archives
Re: Mis-Matching traffic with PCRE Rules
From: Joshua Kinard <kumba () gentoo org>
Date: Fri, 08 Mar 2013 17:34:36 -0500
On 03/08/2013 9:28 AM, Joel Esler wrote:
On Mar 8, 2013, at 5:43 AM, waseem sarwar <waseemsarwar103 () hotmail com> wrote:I have a pcre based rule as follow in my rules file, alert udp any any -> any 53 (msg:"MALWARE domain capodeicapi.eu"; pcre:"m/capodeicapi.eu/i"; classtype:trojan-activity; sid:5000968;)Hm.. I'm not sure what you are doing with the "m" in your pcre there.. but if you are trying to match on a domain name look up, that rule won't work. The "." in a domain name is actually a number. And it would be faster and better to do a content match there. content:"capodeicapi|02|eu"; or something like that.
The 'm' is a way to specify an alternate pcre delimiter. A '/' is default, so he really doesn't need the 'm' in there, although, I don't think it should be a problem. As for the DNS label bit, yeah, he would be better off using a static content match and include a byte count plus the null terminator, as well as fast_pattern:only;. content:"|0b|capodeicapi|02|eu|00|"; fast_pattern:only; If it's an actual HTTP URL he wanted, he is totally on the wrong transport protocol and he should enable/use the HTTP preprocessor: 2nd-level domain match in HTTP headers: content:"Host: capodeicapi.eu"; http_header; fast_pattern:only; 3rd-level match (pcre form): content:"capodeicapi.eu"; http_header; fast_pattern:only; pcre:"/Host\x3a\x20.*\x2ecapodeicapi\x2eeu/iH" Could also do the 3rd-level match w/ two relative contents to avoid the penalty of the libpcre offload, but that might run into the "Referer" field, if it repeats that 2nd-level: content:"Host: "; http_header; content:"capodeicapi.eu"; nocase; distance:0; http_header;
The issue I am facing is that this rule also matches for the domain http://capo.eu which it should not match. I am also facing similar problem with more pcre rules such that they match sub string based url of actual rules . I am using snort version 2.9.1.First thing I am going to ask you to do is upgrade your version of Snort. We are on 2.9.4.1 now, support for 2.9.1 ended about a year ago. In addition to that, I also need to know what version of pcre you have installed on the box.
Does Snort depend on the pcre lib installed by the OS, or does it include its own copy of libpcre in some form? -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Mis-Matching traffic with PCRE Rules waseem sarwar (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules Joel Esler (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules waseem sarwar (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules Todd Wease (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules Joshua Kinard (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules waseem sarwar (Mar 08)
- Re: Mis-Matching traffic with PCRE Rules Joel Esler (Mar 08)