[Snort-sigs] PCRE and normalized content

Paul Schmehl pschmehl_lists at ...3425...
Wed Jan 13 18:52:20 EST 2010


This string: %20%61%6E%64%20%31%3D%31
equals this string: ' and 1=1'
after normalization.  You can pick this up in a rule by using uricontent 
instead of content.  But what do you do about PCRE?  Is there a way to get PCRE 
to match against normalized content?  Or will it only match against 
non-normalized content?

I'm working on sql injection rules and using the following pcre: 
pcre:"/and\s(\d+)=\1/";

It works fine on 1=1 or 54=54, but fails on %31%3D%31, apparently because it's 
attempting to match against the non-normalized content.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-sigs mailing list