[Snort-sigs] Understanding within

James Lay jlay at ...3266...
Wed Aug 15 14:01:57 EDT 2012


On 2012-08-15 11:41, lists at ...3397... wrote:
> On 08/15/12 12:33, Joel Esler wrote:
>> You cannot apply content keywords to pcre.
>>
>> (So, no, you can't do what you are asking)
>
> Right but he could use the /R flag (like distance:0) to make the PCRE
> relative
> to the last content match.  You could also just PCRE-up your within.
>
> Example:
>
> content:"bleh"; content:"blah" within:14;
>
> pcre:"/bleh[^\r\n]{0,10}blah/";
>
> PCRE version 7.8 2008-09-05
>
>   re> /bleh[^\r\n]{0,10}blah/
> data> blehblah
>  0: blehblah
> data> bleh1234567890blah
>  0: bleh1234567890blah
> data> bleh12345678901blah
> No match
> data>

Thanks gents...this does help.  Not to beat a dead horse here...here's 
the original snippet from the email:

The reference number for this fax is <a 
href="hxxp://pixeljunks.de/YRmJLNJv/index.html">min1_did12-1345023267-7176853217-25

For things like this should I just forget about the within statement, 
knowing that:

content:"<a href=|22|http:"; fast_pattern; pcre:"/\x2f[a-z]{8}\x2f/i";

will only match a packet that contains the content AND the pcre?  
Again...just trying to tighten and optimize as best I can...thanks 
again.

James





More information about the Snort-sigs mailing list