[Snort-devel] Mis-Matching traffic with PCRE Rules
waseemsarwar103 at ...445...
Fri Mar 8 09:50:03 EST 2013
I have tried the rule on snort 2.9.4 version as well and got the same results. The PCRE version I am using is version: 8.12 2011-01-15. Please guide me with further debugging or resolution steps.
Subject: Re: [Snort-devel] Mis-Matching traffic with PCRE Rules
From: jesler at ...402...
Date: Fri, 8 Mar 2013 09:28:33 -0500
CC: snort-devel at lists.sourceforge.net
To: waseemsarwar103 at ...445...
On Mar 8, 2013, at 5:43 AM, waseem sarwar <waseemsarwar103 at ...445...> wrote:I have a pcre based rule as follow in my rules file,
alert udp any any -> any 53 (msg:"MALWARE domain capodeicapi.eu"; pcre:"m/capodeicapi.eu/i"; classtype:trojan-activity; sid:5000968;)
Hm..I'm not sure what you are doing with the "m" in your pcre there.. but if you are trying to match on a domain name look up, that rule won't work. The "." in a domain name is actually a number. And it would be faster and better to do a content match there. content:"capodeicapi|02|eu"; or something like that.
The issue I am facing is that this rule also matches for the domain http://capo.eu which it should not match. I am also facing similar problem with more pcre rules such that they match sub string based url of actual rules . I am using snort version 2.9.1.
First thing I am going to ask you to do is upgrade your version of Snort. We are on 220.127.116.11 now, support for 2.9.1 ended about a year ago. In addition to that, I also need to know what version of pcre you have installed on the box.
Senior Research Engineer, VRT
OpenSource Community Manager
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel