[Snort-devel] Mis-Matching traffic with PCRE Rules

waseem sarwar waseemsarwar103 at ...445...
Fri Mar 8 09:50:03 EST 2013


Hi Jeol,
I have tried the rule on snort 2.9.4 version as well and got the same results. The PCRE version I am using is version: 8.12 2011-01-15. Please guide me with further debugging or resolution steps. 
Thanks,Waseem

Subject: Re: [Snort-devel] Mis-Matching traffic with PCRE Rules
From: jesler at ...402...
Date: Fri, 8 Mar 2013 09:28:33 -0500
CC: snort-devel at lists.sourceforge.net
To: waseemsarwar103 at ...445...

On Mar 8, 2013, at 5:43 AM, waseem sarwar <waseemsarwar103 at ...445...> wrote:I have a pcre based rule as follow in my rules file,
alert udp any any -> any 53 (msg:"MALWARE domain capodeicapi.eu"; pcre:"m/capodeicapi.eu/i"; classtype:trojan-activity; sid:5000968;)
Hm..I'm not sure what you are doing with the "m" in your pcre there..  but if you are trying to match on a domain name look up, that rule won't work.  The "." in a domain name is actually a number.  And it would be faster and better to do a content match there.  content:"capodeicapi|02|eu"; or something like that.

The issue I am facing is that this rule also matches for the domain http://capo.eu which it should not match. I am also facing similar problem with more pcre rules such that they match sub string based url of actual rules . I am using snort version 2.9.1.
First thing I am going to ask you to do is upgrade your version of Snort.  We are on 2.9.4.1 now, support for 2.9.1 ended about a year ago.  In addition to that, I also need to know what version of pcre you have installed on the box.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130308/7f34c58f/attachment.html>


More information about the Snort-devel mailing list