[Snort-sigs] PCRE and normalized content

Rodrigo Montoro(Sp0oKeR) spooker at ...2420...
Wed Jan 13 19:08:52 EST 2010


Paul,

I think you should read snort manual  =)

Table 3.8: Snort specific modifiers for pcre
R Match relative to the end of the last pattern match. (Similar to distance:0;)
U Match the decoded URI buffers (Similar to uricontent and http uri)
P Match normalized HTTP request body (Similar to http client body)
H Match normalized HTTP request header (Similar to http header)
M Match normalized HTTP request method (Similar to http method)
C Match normalized HTTP request cookie (Similar to http cookie)
B Do not use the decoded buffers (Similar to rawbytes)
O Override the configured pcre match limit for this expression (See
section 2.1.3)

Anyway this rules will fail with a simples and 1<2 .

I tried once to write a rules but there are to many ways to write the
same query  take a look at this thread
http://lists.emergingthreats.net/pipermail/emerging-sigs/2008-June/000698.html

Anyway I don't thing this list is about writing new rules =)

Regards,

On Wed, Jan 13, 2010 at 9:52 PM, Paul Schmehl <pschmehl_lists at ...3425...> wrote:
> This string: %20%61%6E%64%20%31%3D%31
> equals this string: ' and 1=1'
> after normalization.  You can pick this up in a rule by using uricontent
> instead of content.  But what do you do about PCRE?  Is there a way to get PCRE
> to match against normalized content?  Or will it only match against
> non-normalized content?
>
> I'm working on sql injection rules and using the following pcre:
> pcre:"/and\s(\d+)=\1/";
>
> It works fine on 1=1 or 54=54, but fails on %31%3D%31, apparently because it's
> attempting to match against the non-normalized content.
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
>
>
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for Conference
> attendees to learn about information security's most important issues through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker




More information about the Snort-sigs mailing list