[Snort-sigs] Understanding within

lists at ...3397... lists at ...3397...
Wed Aug 15 14:10:31 EDT 2012


On 08/15/12 13:01, James Lay wrote:
> Thanks gents...this does help.  Not to beat a dead horse here...here's 
> the original snippet from the email:
> 
> The reference number for this fax is <a 
> href="hxxp://pixeljunks.de/YRmJLNJv/index.html">min1_did12-1345023267-7176853217-25
> 
> For things like this should I just forget about the within statement, 
> knowing that:
> 
> content:"<a href=|22|http:"; fast_pattern; pcre:"/\x2f[a-z]{8}\x2f/i";
> 
> will only match a packet that contains the content AND the pcre?  
> Again...just trying to tighten and optimize as best I can...thanks 
> again.

On the ET side we've got a really good one for this, it's the 8-character
camel-case to index.html check out sid 2014521.

Basically, I'd do the below to re-create the urilen style seen with 2014521 and
avoid being pcre-heavy/pcre-only and ensure the camel-case style they use.

content:"/"; content:"/index.html|22|>"; within:21; fast_pattern;
pcre:"/https?:\/\/[^\x2f]+\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html[^\w]?/";

Thanks,
Nathan





More information about the Snort-sigs mailing list