Re: [Snort-sigs] Strange PCRE usage in standard snort rules

On Mon, May 09, 2005 at 02:15:59AM -0500, Frank Knobbe wrote:
> If the above are correct, then shouldn't we be able to split pcre
> matches in order to improve processing speed?

No.  Unfortunately, that is a common misconception.  

> For example: SID 2001401 of the Bleeding rules contains:
> pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"
>
> Wouldn't it save processing cycles to split this into:
>   pcre:"/(EMBED|FRAME|SRC|NAME)/im"; 
>   pcre:"/\s*=\s*["']\w{2086}|\W{2086}/imR";

No.  For one, you would end up alerting where you should not.  

    <img src=foo.jpg> Here is my text somewhere, and this is
    not a vulnerability.  ="aaaaa  (2086 A's here)

The problem is measuring the length of the value for EMBED, FRAME,
SRC, or NAME.  If you don't measure that length, you are just
measuring the length of something... and in your example, you have no
idea as to WHAT you are measuring.

In addition, your rule has an incorrect alternations.  The following
content will cause the rule to fire (in both cases):

    =" (insert 2086 spaces here)

Brian


-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.
Get your fingers limbered up and give it your best shot. 4 great events, 4
opportunities to win big! Highest score wins.NEC IT Guy Games. Play to
win an NEC 61 plasma display. Visit http://www.necitguy.com/?r=20
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs