[Snort-sigs] PCRE and normalized content
pschmehl_lists at ...3425...
Wed Jan 13 21:23:04 EST 2010
Apparently I need to read your snort manual. The one I was looking at
didn't have all those options. :-(
Sure, I won't match 1>2, but I'll still match all equalities, which is
important to me. I'm already catching a bunch of stuff we were missing
--On January 13, 2010 6:08:52 PM -0600 "Rodrigo Montoro(Sp0oKeR)"
<spooker at ...2420...> wrote:
> I think you should read snort manual =)
> Table 3.8: Snort specific modifiers for pcre
> R Match relative to the end of the last pattern match. (Similar to
> U Match the decoded URI buffers (Similar to uricontent and http uri)
> P Match normalized HTTP request body (Similar to http client body)
> H Match normalized HTTP request header (Similar to http header)
> M Match normalized HTTP request method (Similar to http method)
> C Match normalized HTTP request cookie (Similar to http cookie)
> B Do not use the decoded buffers (Similar to rawbytes)
> O Override the configured pcre match limit for this expression (See
> section 2.1.3)
> Anyway this rules will fail with a simples and 1<2 .
> I tried once to write a rules but there are to many ways to write the
> same query take a look at this thread
> Anyway I don't thing this list is about writing new rules =)
> On Wed, Jan 13, 2010 at 9:52 PM, Paul Schmehl <pschmehl_lists at ...3425...>
>> This string: %20%61%6E%64%20%31%3D%31
>> equals this string: ' and 1=1'
>> after normalization. You can pick this up in a rule by using
>> uricontent instead of content. But what do you do about PCRE? Is
>> there a way to get PCRE to match against normalized content? Or will
>> it only match against non-normalized content?
>> I'm working on sql injection rules and using the following pcre:
>> It works fine on 1=1 or 54=54, but fails on %31%3D%31, apparently
>> because it's attempting to match against the non-normalized content.
>> Paul Schmehl, Senior Infosec Analyst
>> As if it wasn't already obvious, my opinions
>> are my own and not those of my employer.
>> "It is as useless to argue with those who have
>> renounced the use of reason as to administer
>> medication to the dead." Thomas Jefferson
>> ------- Throughout its 18-year history, RSA Conference consistently
>> attracts the world's best and brightest in the field, creating
>> opportunities for Conference attendees to learn about information
>> security's most important issues through interactions with peers,
>> luminaries and emerging and established companies.
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
> Rodrigo Montoro (Sp0oKeR)
Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
WARNING: Check the headers before replying
More information about the Snort-sigs