[Snort-devel] Mis-Matching traffic with PCRE Rules

Joshua Kinard kumba at ...2185...
Fri Mar 8 17:34:36 EST 2013


On 03/08/2013 9:28 AM, Joel Esler wrote:
> On Mar 8, 2013, at 5:43 AM, waseem sarwar <waseemsarwar103 at ...445...>
> wrote:
> 
>> I have a pcre based rule as follow in my rules file,
>> 
>> alert udp any any -> any 53 (msg:"MALWARE domain capodeicapi.eu";
>> pcre:"m/capodeicapi.eu/i"; classtype:trojan-activity; sid:5000968;)
> 
> Hm.. I'm not sure what you are doing with the "m" in your pcre there..
> but if you are trying to match on a domain name look up, that rule won't
> work.  The "." in a domain name is actually a number.  And it would be
> faster and better to do a content match there.
> content:"capodeicapi|02|eu"; or something like that.

The 'm' is a way to specify an alternate pcre delimiter.  A '/' is default,
so he really doesn't need the 'm' in there, although, I don't think it
should be a problem.

As for the DNS label bit, yeah, he would be better off using a static
content match and include a byte count plus the null terminator, as well as
fast_pattern:only;.

content:"|0b|capodeicapi|02|eu|00|"; fast_pattern:only;

If it's an actual HTTP URL he wanted, he is totally on the wrong transport
protocol and he should enable/use the HTTP preprocessor:

2nd-level domain match in HTTP headers:
content:"Host: capodeicapi.eu"; http_header; fast_pattern:only;

3rd-level match (pcre form):
content:"capodeicapi.eu"; http_header; fast_pattern:only;
pcre:"/Host\x3a\x20.*\x2ecapodeicapi\x2eeu/iH"

Could also do the 3rd-level match w/ two relative contents to avoid the
penalty of the libpcre offload, but that might run into the "Referer" field,
if it repeats that 2nd-level:
content:"Host: "; http_header; content:"capodeicapi.eu"; nocase; distance:0;
http_header;


>> The issue I am facing is that this rule also matches for the domain
>> http://capo.eu which it should not match. I am also facing similar
>> problem with more pcre rules such that they match sub string based url
>> of actual rules . I am using snort version 2.9.1.
> 
> First thing I am going to ask you to do is upgrade your version of Snort.
> We are on 2.9.4.1 now, support for 2.9.1 ended about a year ago.  In
> addition to that, I also need to know what version of pcre you have
> installed on the box.

Does Snort depend on the pcre lib installed by the OS, or does it include
its own copy of libpcre in some form?

-- 
Joshua Kinard
Gentoo/MIPS
kumba at ...2185...
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 834 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130308/ec74206c/attachment.sig>


More information about the Snort-devel mailing list