[Snort-sigs] PCRE and normalized content

Rodrigo Montoro(Sp0oKeR) spooker at ...2420...
Wed Jan 13 20:41:54 EST 2010


My bad =)

What I wanna say its about write basic rules without read the manual before .

Long life snort drinking games http://blog.joelesler.net/the-snort-drinking-game

Regards,

On Wed, Jan 13, 2010 at 11:17 PM, Jason Brvenik
<jason.brvenik at ...435...> wrote:
> Why wouldn't the list be about new rules? All things rules? Anything
> relating to rules? (Because it has -sigs?)
>
> I think we need to talk more about the snort sigs on money. . .
>
> On Jan 13, 2010 7:15 PM, "Rodrigo Montoro(Sp0oKeR)" <spooker at ...2420...>
> wrote:
>
> Paul,
>
> I think you should read snort manual  =)
>
> Table 3.8: Snort specific modifiers for pcre
> R Match relative to the end of the last pattern match. (Similar to
> distance:0;)
> U Match the decoded URI buffers (Similar to uricontent and http uri)
> P Match normalized HTTP request body (Similar to http client body)
> H Match normalized HTTP request header (Similar to http header)
> M Match normalized HTTP request method (Similar to http method)
> C Match normalized HTTP request cookie (Similar to http cookie)
> B Do not use the decoded buffers (Similar to rawbytes)
> O Override the configured pcre match limit for this expression (See
> section 2.1.3)
>
> Anyway this rules will fail with a simples and 1<2 .
>
> I tried once to write a rules but there are to many ways to write the
> same query  take a look at this thread
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2008-June/000698.html
>
> Anyway I don't thing this list is about writing new rules =)
>
> Regards,
>
> On Wed, Jan 13, 2010 at 9:52 PM, Paul Schmehl <pschmehl_lists at ...3425...>
> wrote: > This string: %20%...
>
> --
> Rodrigo Montoro (Sp0oKeR)
> http://www.spooker.com.br
> http://www.twitter.com/spookerlabs
> http://www.linkedin.com/in/spooker
>
> ------------------------------------------------------------------------------
> Throughout its 18-ye...



-- 
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker




More information about the Snort-sigs mailing list