Snort mailing list archives
Re: Issue with pcre
From: lists () packetmail net
Date: Mon, 06 Oct 2014 15:41:13 -0500
On 10/06/2014 03:35 PM, Sean Cavanaugh wrote:
Good afternoon all, I am relatively new to writing Snort sigs and have been having some issues with loading the rule shown below into our Sourcefire IPS, but receive the error message "...unable to parse pcre regex "trackback\/$/EiU". alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Trackback attempt"; flow:established,to_server; content:"POST"; http_method; uricontent:"/trackback/"; nocase; pcre:"\/trackback\/$/EiU"; sid:xxxxxxx;)
You're missing the first \x2f, try this: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Trackback attempt"; flow:established,to_server; content:"POST"; http_method; content:"/trackback/"; http_uri; fast_pattern:only; pcre:"/\/trackback\/$/Ui"; classtype:bad-unknown; sid:xxxxxxx;) Cheers, Nathan ------------------------------------------------------------------------------ Slashdot TV. Videos for Nerds. Stuff that Matters. http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Issue with pcre Sean Cavanaugh (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Sean Cavanaugh (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Joel Esler (jesler) (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Joel Esler (jesler) (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre Sean Cavanaugh (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre waldo kitty (Oct 06)
- Re: Issue with pcre lists (Oct 06)
- Re: Issue with pcre waldo kitty (Oct 06)
- Re: Issue with pcre lists (Oct 06)