[Snort-sigs] pcre...what am I doing wrong?

Jason Wallace jason.r.wallace at ...2420...
Tue Mar 31 15:58:34 EDT 2009


I'm trying to write a rule using a pcre that looks for DNS requests to
a large list of domains. I know pcre is compiled in because I see this
during the ./configure

checking pcre.h usability... yes
checking pcre.h presence... yes
checking for pcre.h... yes
checking for pcre_compile in -lpcre... yes
checking for libpcre version 6.0 or greater... yes

Here is the simple beginning of the rule...

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"My Message";
pcre:"/subdomain\.domain\.net/smi"; classtype:trojan-activity;
sid:500000001; rev:1;)

This is just a simple example. There will be a large list of domains
similar to the large list of file extensions in the "VIRUS OUTBOUND
bad file attachment" sid:721 rule. The problem is the the pcre doesn't
seem to be working. Using \ to escape the . is correct right? Here are
some things I have tried...

pcre:"/subdomain\.domain\.net/smi"; does NOT work
pcre:"/subdomain\\.domain\\.net/smi"; does NOT work
pcre:"/subdomain.domain.net/smi"; DOES work (but not exactly what I'm
looking for, because the . could be anything not just a .)
pcre:"/domain/smi"; DOES work

This not working makes me a little nervous since there are a lot of
rules using \ to escape a . and now I'm wondering if any of them are
working...

Why wouldn't \ work to escape a . ??

Thx,
Wally




More information about the Snort-sigs mailing list