On Mon, May 09, 2005 at 11:59:01AM +1000, Erik de Castro Lopo wrote:
I've noticed some strange usage of PCRE in the netbios.rules. For
instance, rule 2937 has the following construct:
pcre:"/^.{27}/R";
content:"&|00|"; distance:29; within:2;
which uses the PCRE matcher to move the current match position forward
by 27 characters and then has a 2 byte content match a further 29
characters on in the packet (I think thats correct).
That is exactly what it is trying to do.
You are looking at a netbios rule. Most of the netbios rules are
code generated now. Instead of the snippet above, it would be faster
to do this:
content:"&|00|"; distance:56; within:2;
In the above setup, I am using pcre to skip to the appropriate section
in the request, and start doing detection from there.
This way I only worry about each section on its own, bolting them
together as needed to support all of the many enumerations that SMB
allows. The DCERPC rules are developed first for DCERPC directly
(aka, port 135 via UDP), and then bolted on-top of SMB.
The rules work fine that way, and for me, the rules are easier to
write.
These rules can be made faster, but doing so makes my rule generator a
bit more complicated. That additional layer of cleanup will happen
soon enough. First, detect the vulnerability. If we have time, tune
it so it doesn't turn the sensor into a brick. ;P
Brian
-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
