[Snort-sigs] pcre...what am I doing wrong?

Jason Wallace jason.r.wallace at ...2420...
Tue Mar 31 16:33:02 EDT 2009

Well how about that... Looking back at my packet captures I see it
now. Was expecting to see a dot between them so just assumed (yea I
know) the dot in the pcap was actually a dot.

Guess I should have checked the RFC.

Thx for the help!

On Tue, Mar 31, 2009 at 4:21 PM, Dale Handy <dhandy at ...3370...> wrote:
> Hash: SHA1
> Well, the problem is, in a DNS request, there is no dot "." in the
> request. Where you would normally see a dot character is actually a
> length byte. Thus, the pcre to detect such a DNS request would actually
> be written like this:
>        pcre:"/\x09subdomain\x06domain\x03net/i";
> Where \x09 represents the length of the "subdomain" component, \x06
> represents the length of the "domain" component, and \x03 is the length
> of the "net" piece. Also, in this case, you would not need the s or m
> modifiers.
> Jason Wallace wrote:
>> I'm trying to write a rule using a pcre that looks for DNS requests to
>> a large list of domains. I know pcre is compiled in because I see this
>> during the ./configure
>> checking pcre.h usability... yes
>> checking pcre.h presence... yes
>> checking for pcre.h... yes
>> checking for pcre_compile in -lpcre... yes
>> checking for libpcre version 6.0 or greater... yes
>> Here is the simple beginning of the rule...
>> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"My Message";
>> pcre:"/subdomain\.domain\.net/smi"; classtype:trojan-activity;
>> sid:500000001; rev:1;)
>> This is just a simple example. There will be a large list of domains
>> similar to the large list of file extensions in the "VIRUS OUTBOUND
>> bad file attachment" sid:721 rule. The problem is the the pcre doesn't
>> seem to be working. Using \ to escape the . is correct right? Here are
>> some things I have tried...
>> pcre:"/subdomain\.domain\.net/smi"; does NOT work
>> pcre:"/subdomain\\.domain\\.net/smi"; does NOT work
>> pcre:"/subdomain.domain.net/smi"; DOES work (but not exactly what I'm
>> looking for, because the . could be anything not just a .)
>> pcre:"/domain/smi"; DOES work
>> This not working makes me a little nervous since there are a lot of
>> rules using \ to escape a . and now I'm wondering if any of them are
>> working...
>> Why wouldn't \ work to escape a . ??
>> Thx,
>> Wally
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> - --
> Everyone talks about apathy, but no one does anything about it.
> - -- Dale L. Handy, P.E.
>   dhandy at ...3370...
>   208-552-8707
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> iD8DBQFJ0ntkC7MG6fPx/+kRAiyaAJ42dvorHB1snbOdhoGAfChH/AMZKwCfdyii
> HPa6fDt5rrZYuwFBajLcpqs=
> =6uwW
> This e-mail message and any attachments contain information that is confidential and may be privileged.  If the reader of this e-mail is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication in error, please immediately notify us by replying to this message or by sending an email to postmaster at ...3370..., and destroy all copies of this message and any attachments without reading or disclosing them.  Thank you.

More information about the Snort-sigs mailing list