[Snort-sigs] [Emerging-Sigs] Errors with the Snort manual

Joel Esler eslerj at ...2420...
Thu Feb 18 15:21:18 EST 2010


Mike,

That's a good point.  (The third example.)

I'll bring that up.

J

On Thu, Feb 18, 2010 at 3:12 PM, Mike Cox <mike.cox52 at ...2420...> wrote:

> I fail to see how the PCRE "/ABC.{1}DEF/" maps to "content:"ABC";
> content:"DEF"; distance:1;"
>
> The PCRE matches the string "ABC" followed by any single byte (note the
> superfluous "{1}" making the PCRE more confusing IMHO) followed by the
> string "DEF".  As for the content matches, the first content match matches
> the string "ABC".  So far so good.  The second content match skips single
> byte and then starts looking to match the string "DEF".  So the string
> "ABCDEF" would not match either, the string "ABCXDEF" would match both, and
> the string "ABCDXYZDEF" would match the content keywords but not the PCRE.
> This disparity in matching makes me question the "mapping" of the PCRE to
> the content matches.  Yes, there are strings that will match both but it is
> clearly not a 1 to 1 mapping.
>
> -Mike Cox
>
>
> On Thu, Feb 18, 2010 at 1:58 PM, evilghost at ...3397... <
> evilghost at ...3397...> wrote:
>
>> You are absolutely correct, this has been resolved in the 2.8.5.1
>> manual.  Evidently I did report it after all (couldn't remember) or it
>> was resolved without my reporting.  Thanks Joel.
>>
>> -evilghost
>>
>> Joel Esler wrote:
>> > Evilghost,
>> >
>> > I have to go off of the current version of the manual, as we put out
>> > corrections and additions to the manual with every version of Snort.
>> >
>> > I am looking at the 2.8.5.1 version that is currently on Snort.org,
>> > the REGEX in 3.5.6 reads:
>> > "/ABC.{1}DEF/" and the example is (content:"ABC"; content:"DEF";
>> > distance:1;).
>> > This is correct.
>> >
>> > In 3.5.7 it says "This rule constrains the search of EFG to not go
>> > past 10 bytes past the ABC match."
>> >
>> > The example is (content:"ABC"; content:"EFG"; within:10;) -- which is
>> > correct.
>> >
>> > As for there being no "D".  There is nothing mentioned about the letter
>> D.
>> >
>> > J
>> >
>> > On Thu, Feb 18, 2010 at 2:37 PM, evilghost at ...3397...
>> > <mailto:evilghost at ...3397...> <evilghost at ...3397...
>> > <mailto:evilghost at ...3397...>> wrote:
>> >
>> >     Hello,
>> >
>> >     There was a discussion on ET about some errors in the Snort manual.
>>  I
>> >     cannot remember if I reported these or not.  The Snort 2.8.4 manual
>> >     appears to be inaccurate or wrong in a few places, specifically:
>> >
>> >     Page #114, section 3.5.6, the REGEX used to explain figure 3.16 is
>> >     incorrect.
>> >     Page #114, section 3.5.7, the "10 bytes past the ABCDE match"
>> verbiage
>> >     is incorrect, there is no "D" in figure 3.17 nor is the explanation
>> of
>> >     figure 3.17 correct.
>> >
>> >     I did not check 2.8.5 but I assume these may persist there as well.
>> >
>> >     Thanks
>> >     -evilghost
>> >
>> >     _______________________________________________
>> >     Emerging-sigs mailing list
>> >     Emerging-sigs at ...3335...
>> >     <mailto:Emerging-sigs at ...3335...>
>> >     http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >
>> >     Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs
>> >     and Lanyards
>> >
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>> >
>> >
>> >
>> >
>> > --
>> > Joel Esler
>> > 302-223-5974
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...3335...
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
>> Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>>
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>



-- 
Joel Esler
302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100218/dac3a9b0/attachment.html>


More information about the Snort-sigs mailing list