[Snort-devel] Mis-Matching traffic with PCRE Rules

Joshua Kinard kumba at ...2185...
Fri Mar 8 17:34:36 EST 2013

On 03/08/2013 9:28 AM, Joel Esler wrote:
> On Mar 8, 2013, at 5:43 AM, waseem sarwar <waseemsarwar103 at ...445...>
> wrote:
>> I have a pcre based rule as follow in my rules file,
>> alert udp any any -> any 53 (msg:"MALWARE domain capodeicapi.eu";
>> pcre:"m/capodeicapi.eu/i"; classtype:trojan-activity; sid:5000968;)
> Hm.. I'm not sure what you are doing with the "m" in your pcre there..
> but if you are trying to match on a domain name look up, that rule won't
> work.  The "." in a domain name is actually a number.  And it would be
> faster and better to do a content match there.
> content:"capodeicapi|02|eu"; or something like that.

The 'm' is a way to specify an alternate pcre delimiter.  A '/' is default,
so he really doesn't need the 'm' in there, although, I don't think it
should be a problem.

As for the DNS label bit, yeah, he would be better off using a static
content match and include a byte count plus the null terminator, as well as

content:"|0b|capodeicapi|02|eu|00|"; fast_pattern:only;

If it's an actual HTTP URL he wanted, he is totally on the wrong transport
protocol and he should enable/use the HTTP preprocessor:

2nd-level domain match in HTTP headers:
content:"Host: capodeicapi.eu"; http_header; fast_pattern:only;

3rd-level match (pcre form):
content:"capodeicapi.eu"; http_header; fast_pattern:only;

Could also do the 3rd-level match w/ two relative contents to avoid the
penalty of the libpcre offload, but that might run into the "Referer" field,
if it repeats that 2nd-level:
content:"Host: "; http_header; content:"capodeicapi.eu"; nocase; distance:0;

>> The issue I am facing is that this rule also matches for the domain
>> http://capo.eu which it should not match. I am also facing similar
>> problem with more pcre rules such that they match sub string based url
>> of actual rules . I am using snort version 2.9.1.
> First thing I am going to ask you to do is upgrade your version of Snort.
> We are on now, support for 2.9.1 ended about a year ago.  In
> addition to that, I also need to know what version of pcre you have
> installed on the box.

Does Snort depend on the pcre lib installed by the OS, or does it include
its own copy of libpcre in some form?

Joshua Kinard
kumba at ...2185...
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130308/ec74206c/attachment.sig>

More information about the Snort-devel mailing list