[Snort-sigs] [Emerging-Sigs] Errors with the Snort manual

Mike Cox mike.cox52 at ...2420...
Thu Feb 18 15:12:19 EST 2010


I fail to see how the PCRE "/ABC.{1}DEF/" maps to "content:"ABC";
content:"DEF"; distance:1;"

The PCRE matches the string "ABC" followed by any single byte (note the
superfluous "{1}" making the PCRE more confusing IMHO) followed by the
string "DEF".  As for the content matches, the first content match matches
the string "ABC".  So far so good.  The second content match skips single
byte and then starts looking to match the string "DEF".  So the string
"ABCDEF" would not match either, the string "ABCXDEF" would match both, and
the string "ABCDXYZDEF" would match the content keywords but not the PCRE.
This disparity in matching makes me question the "mapping" of the PCRE to
the content matches.  Yes, there are strings that will match both but it is
clearly not a 1 to 1 mapping.

-Mike Cox

On Thu, Feb 18, 2010 at 1:58 PM, evilghost at ...3397... <
evilghost at ...3397...> wrote:

> You are absolutely correct, this has been resolved in the 2.8.5.1
> manual.  Evidently I did report it after all (couldn't remember) or it
> was resolved without my reporting.  Thanks Joel.
>
> -evilghost
>
> Joel Esler wrote:
> > Evilghost,
> >
> > I have to go off of the current version of the manual, as we put out
> > corrections and additions to the manual with every version of Snort.
> >
> > I am looking at the 2.8.5.1 version that is currently on Snort.org,
> > the REGEX in 3.5.6 reads:
> > "/ABC.{1}DEF/" and the example is (content:"ABC"; content:"DEF";
> > distance:1;).
> > This is correct.
> >
> > In 3.5.7 it says "This rule constrains the search of EFG to not go
> > past 10 bytes past the ABC match."
> >
> > The example is (content:"ABC"; content:"EFG"; within:10;) -- which is
> > correct.
> >
> > As for there being no "D".  There is nothing mentioned about the letter
> D.
> >
> > J
> >
> > On Thu, Feb 18, 2010 at 2:37 PM, evilghost at ...3397...
> > <mailto:evilghost at ...3397...> <evilghost at ...3397...
> > <mailto:evilghost at ...3397...>> wrote:
> >
> >     Hello,
> >
> >     There was a discussion on ET about some errors in the Snort manual.
>  I
> >     cannot remember if I reported these or not.  The Snort 2.8.4 manual
> >     appears to be inaccurate or wrong in a few places, specifically:
> >
> >     Page #114, section 3.5.6, the REGEX used to explain figure 3.16 is
> >     incorrect.
> >     Page #114, section 3.5.7, the "10 bytes past the ABCDE match"
> verbiage
> >     is incorrect, there is no "D" in figure 3.17 nor is the explanation
> of
> >     figure 3.17 correct.
> >
> >     I did not check 2.8.5 but I assume these may persist there as well.
> >
> >     Thanks
> >     -evilghost
> >
> >     _______________________________________________
> >     Emerging-sigs mailing list
> >     Emerging-sigs at ...3335...
> >     <mailto:Emerging-sigs at ...3335...>
> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> >     Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs
> >     and Lanyards
> >
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> >
> >
> >
> >
> > --
> > Joel Esler
> > 302-223-5974
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100218/ada40cf4/attachment.html>


More information about the Snort-sigs mailing list