[Snort-sigs] Looking for HTTP POST's over 1mb in size

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Fri Apr 9 09:02:11 EDT 2010


Of course they both work; this should not be a surprise.  A colon
doesn't need to be escaped in a PCRE and if you escape it, it doesn't
change the way the PCRE engine sees it since it isn't a special
character.  Heck, you could escape all non-special characters and
everything would work just fine.  It's how escaping works.  When
thinking about a colon in a PCRE, I'd encourage all to apply the
Alcatraz rule ... no escape :)

-L0rd Ch0de1m0rt

On 4/8/10, Matt Olney <molney at ...435...> wrote:
> Actually (don't ask me why)...they both work:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with colon";
> pcre:"/User-Agent:/H"; classtype: attempted-admin; sid: 33333;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PCRE with colon
> escaped"; pcre:"/User-Agent\:/H"; classtype: attempted-admin; sid: 33334;)
>
> Alerts:
> 1:33333:0       PCRE with colon
>      Alerts: 2
> 1:33334:0       PCRE with colon escaped
>      Alerts: 2
>
> [HTTP_HEADER BUFFER DATA (0x8ac90a0)]:
> 55 73 65 72 2d 41 67 65 6e 74 3a 20 43 42 4e 65    User-Agent: CBNe
> 74 44 61 74 61 53 65 74 0d 0a 48 6f 73 74 3a 20    tDataSet..Host:
> 73 65 67 6d 65 6e 74 2e 70 77 30 38 2e 69 63 69    segment.pw08.ici
> 62 61 2e 63 6f 6d 0d 0a 43 61 63 68 65 2d 43 6f    ba.com..Cache-Co
> 6e 74 72 6f 6c 3a 20 6d 61 78 2d 61 67 65 3d 32    ntrol: max-age=2
> 35 39 32 30 30 0d 0a 56 69 61 3a 20 31 2e 30 20    59200..Via: 1.0
> 50 52 4f 58 59 0d 0a 43 6f 6e 6e 65 63 74 69 6f    PROXY..Connectio
> 6e 3a 20 63 6c 6f 73 65 0d 0a 0d                   n: close...
>
> Matt
> (Who has been stupid busy, but is still listening)
>
> 2010/4/8 L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...2420...>
>
>> I disagree.  Unless snort is not PCRE compatible (which it seems they
>> should be based on the acronym), you don't have to escape the colon in
>> this context for a pcre check.
>>
>> Cheers,
>>
>> -L0rd Ch0de1m0rt
>>
>> On Thu, Apr 8, 2010 at 7:46 PM, 김무성 <kimms at ...3282...> wrote:
>> > Missed escape : \
>> >
>> > You have to write this
>> >
>> > pcre:"/^Content-Length\:\s*[0-9]{7,}$/i";
>> > or
>> > pcre:"/^Content-Length\x3a\s*[0-9]{7,}$/i";
>> >




More information about the Snort-sigs mailing list