Snort mailing list archives
Re: PCRE Signature Problem
From: Andrey Silversburg <andrey.silversburg () gmail com>
Date: Tue, 9 Aug 2016 07:37:05 +0700
Thank you for all the answers. I'll try it first. On 8/8/2016 7:53 PM, Joel Esler (jesler) wrote:
If you are matching on that static string, why truncate it? alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:”PROTOCOL-OTHER Web Attack"; flow:to_server,established; content:"POST"; http_method; content:"/mouse/Usmix"; nocase; http_client_body; metadata:service http;)On Aug 7, 2016, at 4:03 PM, rmkml <rmkml () ligfy org> wrote: fixed pcre example: alert tcp any any -> $HOME_NET 80 (msg:"Web Attack !"; sid:100000008; flow:to_server,established; content:"POST"; http_method; pcre:"/mouse/Pi"; rev:1;) fire three times on your pcre.pcap. but on your example, pcre is not need so replace by content like this: alert tcp any any -> $HOME_NET 80 (msg:"Web Attack !"; sid:100000008; flow:to_server,established; content:"POST"; http_method; content:"mouse"; nocase; http_client_body; rev:1;) fire three times again on your pcre.pcap. Regards @Rmkml On Sun, 7 Aug 2016, rmkml wrote:Hi Andrey, Yes already exist, use P on pcre option for regex on http_client_body, see page 207 on snort manual. Best @Rmkml On Sat, 6 Aug 2016, Andrey Silversburg wrote:Actually I'm targeting POST method content from HTTP protocol. So I think http_client_body is the rule for this, right ?. This is what I want to ask about maybe that is why my rule is not work. So I can't combine http_client_body and PCRE. In SNORT manual there is no such kind of information regarding what kind of rule should I use or maybe I'm missing some part I should have to read. On 8/4/2016 6:45 PM, rmkml wrote: Hi Andreys, You cannot use pcre with http_client_body after. What is your target, detecting mouse on Uri or http_client_body ? Pcre usage for regular expression needed, not needed for simply detect mouse word. Best @Rmkml -------- Message d'origine -------- De : Andrey Silversburg <andrey.silversburg () gmail com> Date : 04/08/2016 08:28 (GMT+01:00) À : snort-sigs () lists sourceforge net Objet : [Snort-sigs] PCRE Signature Problem Greetings, Snort Users I want to detect some portion contents from HTTP form using this rule in snort, but it seems snort cannot detect it. This is my rule alert tcp any any -> $HOME_NET 80 (msg:"Web Attack !"; sid:100000008; flow:to_server,established; content:"POST"; http_method; pcre:"/mouse/Usmix"; http_client_body; rev:1;) I read from Snort Users Manual how to catch HTTP content but it seems snort only capture some part of the content. I try to analyze it using wireshark. CMIIW, I'm guessing there is some "whitespace" that make my PCRE rule not work. Is there any wrong rule from my rules ?. This is from my snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.8.3 GRE (Build 383) '''' By Martin Roesch & The Snort Team: http://www.snort.org/contact#team Copyright (C) 2014-2015 Cisco and/or its affiliates. All rights reserved. Copyright (C) 1998-2013 Sourcefire, Inc., et al. Using libpcap version 1.4.0 Using PCRE version: 8.37 2015-04-28 Using ZLIB version: 1.2.8------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. http://sdm.link/zohodev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- RE : PCRE Signature Problem rmkml (Aug 04)
- Re: PCRE Signature Problem Andrey Silversburg (Aug 05)
- Re: PCRE Signature Problem rmkml (Aug 07)
- Re: PCRE Signature Problem rmkml (Aug 07)
- Re: PCRE Signature Problem Joel Esler (jesler) (Aug 08)
- Re: PCRE Signature Problem Andrey Silversburg (Aug 08)
- Re: PCRE Signature Problem rmkml (Aug 07)
- Re: PCRE Signature Problem Andrey Silversburg (Aug 05)