[Snort-sigs] pcre...what am I doing wrong?

JJ Cummings cummingsj at ...2420...
Tue Mar 31 21:08:24 EDT 2009


Exactly, this is a MUCH better way of doing it!

On Tue, Mar 31, 2009 at 6:53 PM, 김무성 <kimms at ...3282...> wrote:

> You must look packet of DNS query.
> In DNS query
> Query structure is no subdomain.domain.net
> Is |09|subdomain|06|domain|03|net|00|
>
> You have to create content:"|09|subdomain|06|domain|03|net|00|";
>
> -----Original Message-----
> From: Jason Wallace [mailto:jason.r.wallace at ...2420...]
> Sent: Wednesday, April 01, 2009 4:59 AM
> To: snort-sigs at lists.sourceforge.net
> Subject: [Snort-sigs] pcre...what am I doing wrong?
>
> I'm trying to write a rule using a pcre that looks for DNS requests to
> a large list of domains. I know pcre is compiled in because I see this
> during the ./configure
>
> checking pcre.h usability... yes
> checking pcre.h presence... yes
> checking for pcre.h... yes
> checking for pcre_compile in -lpcre... yes
> checking for libpcre version 6.0 or greater... yes
>
> Here is the simple beginning of the rule...
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"My Message";
> pcre:"/subdomain\.domain\.net/smi"; classtype:trojan-activity;
> sid:500000001; rev:1;)
>
> This is just a simple example. There will be a large list of domains
> similar to the large list of file extensions in the "VIRUS OUTBOUND
> bad file attachment" sid:721 rule. The problem is the the pcre doesn't
> seem to be working. Using \ to escape the . is correct right? Here are
> some things I have tried...
>
> pcre:"/subdomain\.domain\.net/smi"; does NOT work
> pcre:"/subdomain\\.domain\\.net/smi"; does NOT work
> pcre:"/subdomain.domain.net/smi"; DOES work (but not exactly what I'm
> looking for, because the . could be anything not just a .)
> pcre:"/domain/smi"; DOES work
>
> This not working makes me a little nervous since there are a lot of
> rules using \ to escape a . and now I'm wondering if any of them are
> working...
>
> Why wouldn't \ work to escape a . ??
>
> Thx,
> Wally
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
JJ Cummings
M: 303.881.5181
jj.cummings at ...435...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20090331/9538b6a3/attachment.html>


More information about the Snort-sigs mailing list