Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] Strange PCRE usage in standard snort rules

from [Erik de Castro Lopo] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] Strange PCRE usage in standard snort rules
Date: Mon, 9 May 2005 14:26:18 +1000 
On 2005-05-09 2:18:18
Frank Knobbe <frank@knobbe.us> wrote:


On Mon, 2005-05-09 at 11:59 +1000, Erik de Castro Lopo wrote:

I've noticed some strange usage of PCRE in the netbios.rules. For 
instance, rule 2937 has the following construct:

    pcre:"/^.{27}/R";
    content:"&|00|"; distance:29; within:2;


Err.... I was under the impression that distance and within only work on
a previous "content" match, and not "pcre" matches. Are you saying
distance can be used to offset from previous "pcre" matches? 


This part of the Snort docs is rather unclear. From my reading of 
the docs, this is valid.


Can /R in
pcre then also be used to offset from previous "content" matches?



From the docs in a table of Snort specific pcre midifiers:


    R   Match relative to the end of the last pattern match. (Similar 
        to  distance:0;)

which seems to suggest that "/^.{27}/R" matches the first 27 bytes
after the last match.

As for the distance specifier, it is documented as:

    The distance keyword allows the rule writer to specify how far 
    into a packet Snort should ignore before starting to search for 
    the specified pattern relative to the end of the previous pattern 
    match.

This is somewhat unclear. It could mean the end of the last content
match or the last match (which would include things like pcre, byte_jump
and byte_test). I go for the latter reading.

Either way, it should be possible to replace the PCRE with a 
byte_test which is really the point I was trying to make.

I wish the docs were less ambiguous :-).

Erik 
-- 
-------------------------------------------------------
[N] Erik de Castro Lopo, Senior Computer Engineer
[E] erik.de.castro.lopo@sensorynetworks.com
[W] http://www.sensorynetworks.com
[T] +61 2 83022726
[F] +61 2 94750316
[A] L6/140 William St, East Sydney NSW 2011, Australia
-------------------------------------------------------
A good debugger is no substitute for a good test suite.


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] Strange PCRE usage in standard snort rules, Frank Knobbe
Next by Date:  Re: [Snort-sigs] Strange PCRE usage in standard snort rules, Erik de Castro Lopo
Previous by Thread:  Re: [Snort-sigs] Strange PCRE usage in standard snort rules, Frank Knobbe
Next by Thread:  Re: [Snort-sigs] Strange PCRE usage in standard snort rules, Erik de Castro Lopo
Indexes:  [Date] [Thread] [Top] [All Lists]