Snort mailing list archives
Re: [help,urgent] Using PCRE to match packets in hex
From: JJ Cummings <cummingsj () gmail com>
Date: Sun, 27 Oct 2013 14:49:47 -0600
Even if using regex you need a content anchor... It is considered best practice and helps dramatically in terms of performance and overall rule overhead! Sent from the iRoad
On Oct 27, 2013, at 13:33, Yoyo Lam <mtcyoyo () gmail com> wrote: These would be samples for checking. They are fetched using Wireshark. You can find it at the first packets to 130.37.198.87. A sample of packet that I want to match is already in the regex site I put before. I thought there would be no problem to my packet. I just want to know how to use my pattern to match against the hex dump of the packet. I didn't use content since I don't really get how to use it properly, and with my programming experience, I am more familiar with regex. And it seems that using pcre alone is ok. (not thoroughly tested) Yoyo 2013/10/27 Jeremy Hoel <jthoel () gmail com>Without a pcap of the data you're trying to hit on its hard to tell.. but this section mentions you might want a content part of the rule also. http://manual.snort.org/node32.html#SECTION004523200000000000000On Oct 27, 2013 12:43 PM, "Yoyo Lam" <mtcyoyo () gmail com> wrote: Hello experts, I have a problem about PCRE. I wrote a PCRE pattern that perfectly matches a certain message, and I checked in some regex checker and there is no problem. But when I put it in a Snort rule with the B modifier, it doesn't work. Please help me to figure what happened. The PCRE Check page: http://www.phpliveregex.com/p/1In My Snort rule: alert tcp any any -> any any (pcre:"/([0-9a-fA-F]{2})13([0-9a-fA-F]{2}){8}(77696e646f7773|6c696e7578)/B"; msg:"Some message"; sid:1234567; rev:1;) Please help me by either 1) Telling me what I have forgotten to add/change/remove; 2) Give me the working rule :D 3) Any way that can solve this fast This is quite urgent, so please help me asap. Best regards, Yoyo ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!<drop.pcapng> <drop2.pcapng> ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [help,urgent] Using PCRE to match packets in hex, (continued)
- Re: [help,urgent] Using PCRE to match packets in hex Jeremy Hoel (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex waldo kitty (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex rmkml (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex rmkml (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Message not available
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 28)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 28)
- Re: [help,urgent] Using PCRE to match packets in hex Yoyo Lam (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex Jeremy Hoel (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex JJ Cummings (Oct 27)
- Re: [help,urgent] Using PCRE to match packets in hex rmkml (Oct 27)