[Snort-sigs] [AUTO IP] Re: [AUTO IP] Re: Question about content

evilghost at ...3397... evilghost at ...3397...
Tue Dec 1 14:45:44 EST 2009

Paul, the PCRE was used to demonstrate the end of string matching, as 
previously suggested by Matt.  The content match on "GET " with a depth 
of 4 was used to anchor the signature to an HTTP method, since the 
signature offered was used as an example centered around HTTP.  It was 
further suggested that http_method should be used and/or the addition of 
the nocase; argument to ensure non-RFC compliant matching.  The useful 
information was contained in the PCRE, if anything you should be 
screaming about the \d+ instead of just AAAA$, [A]{4}$, or A{4}$ but 
then again, there seems to be little merit to your gripe to begin with.

Ideally I was hoping the OP would reply and better clarify exactly what 
type of data/application they are attempting to inspect so a signature 
with greater precision could be constructed.  What was offered was not 
an answer to homework but sufficient information to craft the necessary 
signature, by example, for the OP's requirements.

In the future I'll be sure to run replies through you since you've been 
a wealth of help to the OP here.  An ip rule with a PCRE-only is going 
to be a costly rule, but I'm sure you already knew that.


Paul Schmehl wrote:
> I saw that.  The point is, you didn't come close to answering the OP's 
> question.  Forget the assumptions you made, you looked for a word 4 bytes into 
> the packet.  That wasn't what he asked for.  He asked how he could find the 
> pattern at_the_end_of_the_packet without knowing the packet length.
> The rest is irrelevant.
> --On Tuesday, December 01, 2009 11:46:04 -0600 evilghost at ...3397... wrote:
>> Paul, since you failed at reading comprehension, here would be the
>> *critical* statement I made *before* I supplied the rule, as an example
>> of how PCRE could be used to detect what the OP has requested:
>> "Making assumptions about direction, protocol, and content I would try
>> something like this:"
>> I do appreciate your gems of wisdom concerning the ip based rule.

More information about the Snort-sigs mailing list