[Snort-sigs] pcre...what am I doing wrong?

김무성 kimms at ...3282...
Tue Mar 31 20:53:05 EDT 2009

You must look packet of DNS query.
In DNS query
Query structure is no subdomain.domain.net
Is |09|subdomain|06|domain|03|net|00|

You have to create content:"|09|subdomain|06|domain|03|net|00|";

-----Original Message-----
From: Jason Wallace [mailto:jason.r.wallace at ...2420...] 
Sent: Wednesday, April 01, 2009 4:59 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] pcre...what am I doing wrong?

I'm trying to write a rule using a pcre that looks for DNS requests to
a large list of domains. I know pcre is compiled in because I see this
during the ./configure

checking pcre.h usability... yes
checking pcre.h presence... yes
checking for pcre.h... yes
checking for pcre_compile in -lpcre... yes
checking for libpcre version 6.0 or greater... yes

Here is the simple beginning of the rule...

alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"My Message";
pcre:"/subdomain\.domain\.net/smi"; classtype:trojan-activity;
sid:500000001; rev:1;)

This is just a simple example. There will be a large list of domains
similar to the large list of file extensions in the "VIRUS OUTBOUND
bad file attachment" sid:721 rule. The problem is the the pcre doesn't
seem to be working. Using \ to escape the . is correct right? Here are
some things I have tried...

pcre:"/subdomain\.domain\.net/smi"; does NOT work
pcre:"/subdomain\\.domain\\.net/smi"; does NOT work
pcre:"/subdomain.domain.net/smi"; DOES work (but not exactly what I'm
looking for, because the . could be anything not just a .)
pcre:"/domain/smi"; DOES work

This not working makes me a little nervous since there are a lot of
rules using \ to escape a . and now I'm wondering if any of them are

Why wouldn't \ work to escape a . ??


Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list