[Snort-sigs] pcre...what am I doing wrong?

Jason Wallace jason.r.wallace at ...2420...
Wed Apr 1 07:34:48 EDT 2009


That was my original idea, however I'll be looking for 30+ domains.
Also these are DMZ systems that don't initiate a lot of connections so
there is very little outbound DNS request traffic. There will be a
content: part of the rule to reduce the pcre use.

I guess the question is, "Where is the performance break even point?".

30+ content: rules vs. 1 content: + pcre: rule.

Also, I so infrequently write rules using pcre that I was worried my
regex skills were getting a little rusty. This looked like a good one
to sharpen them up on. :)

Wally


2009/3/31 JJ Cummings <cummingsj at ...2420...>:
> Exactly, this is a MUCH better way of doing it!
>
> On Tue, Mar 31, 2009 at 6:53 PM, 김무성 <kimms at ...3282...> wrote:
>>
>> You must look packet of DNS query.
>> In DNS query
>> Query structure is no subdomain.domain.net
>> Is |09|subdomain|06|domain|03|net|00|
>>
>> You have to create content:"|09|subdomain|06|domain|03|net|00|";
>>
>> -----Original Message-----
>> From: Jason Wallace [mailto:jason.r.wallace at ...2420...]
>> Sent: Wednesday, April 01, 2009 4:59 AM
>> To: snort-sigs at lists.sourceforge.net
>> Subject: [Snort-sigs] pcre...what am I doing wrong?
>>
>> I'm trying to write a rule using a pcre that looks for DNS requests to
>> a large list of domains. I know pcre is compiled in because I see this
>> during the ./configure
>>
>> checking pcre.h usability... yes
>> checking pcre.h presence... yes
>> checking for pcre.h... yes
>> checking for pcre_compile in -lpcre... yes
>> checking for libpcre version 6.0 or greater... yes
>>
>> Here is the simple beginning of the rule...
>>
>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"My Message";
>> pcre:"/subdomain\.domain\.net/smi"; classtype:trojan-activity;
>> sid:500000001; rev:1;)
>>
>> This is just a simple example. There will be a large list of domains
>> similar to the large list of file extensions in the "VIRUS OUTBOUND
>> bad file attachment" sid:721 rule. The problem is the the pcre doesn't
>> seem to be working. Using \ to escape the . is correct right? Here are
>> some things I have tried...
>>
>> pcre:"/subdomain\.domain\.net/smi"; does NOT work
>> pcre:"/subdomain\\.domain\\.net/smi"; does NOT work
>> pcre:"/subdomain.domain.net/smi"; DOES work (but not exactly what I'm
>> looking for, because the . could be anything not just a .)
>> pcre:"/domain/smi"; DOES work
>>
>> This not working makes me a little nervous since there are a lot of
>> rules using \ to escape a . and now I'm wondering if any of them are
>> working...
>>
>> Why wouldn't \ work to escape a . ??
>>
>> Thx,
>> Wally
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
> --
> JJ Cummings
> M: 303.881.5181
> jj.cummings at ...435...
>
>




More information about the Snort-sigs mailing list