[Snort-sigs] PCRE and normalized content

Rodrigo Montoro(Sp0oKeR) spooker at ...2420...
Wed Jan 13 21:30:19 EST 2010


If you are using snort manual  2.8.5.1 it's there but in a "wrong
place" (page 131 with byte_test) .  If you read the snort_manual from
snort 2.8.6 beta its in a "correct page"

Did you see that other thread anyway ?

Hope it helps.

Regards,

On Thu, Jan 14, 2010 at 12:23 AM, Paul Schmehl <pschmehl_lists at ...3425...> wrote:
> Apparently I need to read your snort manual.  The one I was looking at
> didn't have all those options.  :-(
>
> Sure, I won't match 1>2, but I'll still match all equalities, which is
> important to me.  I'm already catching a bunch of stuff we were missing
> previously.
>
> --On January 13, 2010 6:08:52 PM -0600 "Rodrigo Montoro(Sp0oKeR)"
> <spooker at ...2420...> wrote:
>
>>
>> Paul,
>>
>> I think you should read snort manual  =)
>>
>> Table 3.8: Snort specific modifiers for pcre
>> R Match relative to the end of the last pattern match. (Similar to
>> distance:0;)
>> U Match the decoded URI buffers (Similar to uricontent and http uri)
>> P Match normalized HTTP request body (Similar to http client body)
>> H Match normalized HTTP request header (Similar to http header)
>> M Match normalized HTTP request method (Similar to http method)
>> C Match normalized HTTP request cookie (Similar to http cookie)
>> B Do not use the decoded buffers (Similar to rawbytes)
>> O Override the configured pcre match limit for this expression (See
>> section 2.1.3)
>>
>> Anyway this rules will fail with a simples and 1<2 .
>>
>> I tried once to write a rules but there are to many ways to write the
>> same query  take a look at this thread
>> http://lists.emergingthreats.net/pipermail/emerging-sigs/2008-June/00069
>> 8.html
>>
>> Anyway I don't thing this list is about writing new rules =)
>>
>> Regards,
>>
>> On Wed, Jan 13, 2010 at 9:52 PM, Paul Schmehl <pschmehl_lists at ...3425...>
>> wrote:
>>>
>>> This string: %20%61%6E%64%20%31%3D%31
>>> equals this string: ' and 1=1'
>>> after normalization.  You can pick this up in a rule by using
>>> uricontent instead of content.  But what do you do about PCRE?  Is
>>> there a way to get PCRE to match against normalized content?  Or will
>>> it only match against non-normalized content?
>>>
>>> I'm working on sql injection rules and using the following pcre:
>>> pcre:"/and\s(\d+)=\1/";
>>>
>>> It works fine on 1=1 or 54=54, but fails on %31%3D%31, apparently
>>> because it's attempting to match against the non-normalized content.
>>>
>>> --
>>> Paul Schmehl, Senior Infosec Analyst
>>> As if it wasn't already obvious, my opinions
>>> are my own and not those of my employer.
>>> *******************************************
>>> "It is as useless to argue with those who have
>>> renounced the use of reason as to administer
>>> medication to the dead." Thomas Jefferson
>>>
>>>
>>> -----------------------------------------------------------------------
>>> ------- Throughout its 18-year history, RSA Conference consistently
>>> attracts the world's best and brightest in the field, creating
>>> opportunities for Conference attendees to learn about information
>>> security's most important issues through interactions with peers,
>>> luminaries and emerging and established companies.
>>> http://p.sf.net/sfu/rsaconf-dev2dev
>>> _______________________________________________
>>> Snort-sigs mailing list
>>> Snort-sigs at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>
>>
>>
>> --
>> Rodrigo Montoro (Sp0oKeR)
>> http://www.spooker.com.br
>> http://www.twitter.com/spookerlabs
>> http://www.linkedin.com/in/spooker
>
>
>
> Paul Schmehl, If it isn't already
> obvious, my opinions are my own
> and not those of my employer.
> ******************************************
> WARNING: Check the headers before replying
>
>



-- 
Rodrigo Montoro (Sp0oKeR)
http://www.spooker.com.br
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker




More information about the Snort-sigs mailing list