[Snort-devel] Mis-Matching traffic with PCRE Rules

Joel Esler jesler at ...402...
Fri Mar 8 09:28:33 EST 2013


On Mar 8, 2013, at 5:43 AM, waseem sarwar <waseemsarwar103 at ...445...> wrote:

> I have a pcre based rule as follow in my rules file,
> 
> alert udp any any -> any 53 (msg:"MALWARE domain capodeicapi.eu"; pcre:"m/capodeicapi.eu/i"; classtype:trojan-activity; sid:5000968;)

Hm..
I'm not sure what you are doing with the "m" in your pcre there..  but if you are trying to match on a domain name look up, that rule won't work.  The "." in a domain name is actually a number.  And it would be faster and better to do a content match there.  content:"capodeicapi|02|eu"; or something like that.


> The issue I am facing is that this rule also matches for the domain http://capo.eu which it should not match. I am also facing similar problem with more pcre rules such that they match sub string based url of actual rules . I am using snort version 2.9.1.

First thing I am going to ask you to do is upgrade your version of Snort.  We are on 2.9.4.1 now, support for 2.9.1 ended about a year ago.  In addition to that, I also need to know what version of pcre you have installed on the box.


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130308/8a6ef393/attachment.html>


More information about the Snort-devel mailing list