[Snort-sigs] PCRE and normalized content

Paul Schmehl pschmehl_lists at ...3425...
Wed Jan 13 18:52:20 EST 2010

This string: %20%61%6E%64%20%31%3D%31
equals this string: ' and 1=1'
after normalization.  You can pick this up in a rule by using uricontent 
instead of content.  But what do you do about PCRE?  Is there a way to get PCRE 
to match against normalized content?  Or will it only match against 
non-normalized content?

I'm working on sql injection rules and using the following pcre: 

It works fine on 1=1 or 54=54, but fails on %31%3D%31, apparently because it's 
attempting to match against the non-normalized content.

Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

More information about the Snort-sigs mailing list