Snort mailing list archives
Re: [help,urgent] Using PCRE to match packets in hex
From: Jeremy Hoel <jthoel () gmail com>
Date: Sun, 27 Oct 2013 12:56:32 -0600
Without a pcap of the data you're trying to hit on its hard to tell.. but this section mentions you might want a content part of the rule also. http://manual.snort.org/node32.html#SECTION004523200000000000000 On Oct 27, 2013 12:43 PM, "Yoyo Lam" <mtcyoyo () gmail com> wrote:
Hello experts, I have a problem about PCRE. I wrote a PCRE pattern that perfectly matches a certain message, and I checked in some regex checker and there is no problem. But when I put it in a Snort rule with the B modifier, it doesn't work. Please help me to figure what happened. The PCRE Check page: http://www.phpliveregex.com/p/1In My Snort rule: alert tcp any any -> any any (pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(77696e646f7773|6c696e7578)/B"; msg:"Some message"; sid:1234567; rev:1;) Please help me by either 1) Telling me what I have forgotten to add/change/remove; 2) Give me the working rule :D 3) Any way that can solve this fast This is quite urgent, so please help me asap. Best regards, Yoyo ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Jeremy Hoel (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex waldo kitty (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex rmkml (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex rmkml (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Message not available
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 28)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 28)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Jeremy Hoel (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex JJ Cummings (Oct 27)