[Snort-sigs] Understanding within

Joel Esler jesler at ...435...
Wed Aug 15 14:34:52 EDT 2012


On Aug 15, 2012, at 2:01 PM, James Lay <jlay at ...3266...> wrote:
> On 2012-08-15 11:41, lists at ...3397... wrote:
>> On 08/15/12 12:33, Joel Esler wrote:
>>> You cannot apply content keywords to pcre.
>>> 
>>> (So, no, you can't do what you are asking)
>> 
>> Right but he could use the /R flag (like distance:0) to make the PCRE
>> relative
>> to the last content match.  You could also just PCRE-up your within.
>> 
>> Example:
>> 
>> content:"bleh"; content:"blah" within:14;
>> 
>> pcre:"/bleh[^\r\n]{0,10}blah/";
>> 
>> PCRE version 7.8 2008-09-05
>> 
>>  re> /bleh[^\r\n]{0,10}blah/
>> data> blehblah
>> 0: blehblah
>> data> bleh1234567890blah
>> 0: bleh1234567890blah
>> data> bleh12345678901blah
>> No match
>> data>
> 
> Thanks gents...this does help.  Not to beat a dead horse here...here's 
> the original snippet from the email:
> 
> The reference number for this fax is <a 
> href="hxxp://pixeljunks.de/YRmJLNJv/index.html">min1_did12-1345023267-7176853217-25
> 
> For things like this should I just forget about the within statement, 
> knowing that:
> 
> content:"<a href=|22|http:"; fast_pattern; pcre:"/\x2f[a-z]{8}\x2f/i";


James:

SID: 22088 covers these redirection attempts.  

But maybe 
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"something bad this way comes"; flow:to_server,established; file_data; content:"<a href="|22|http|3a"; content:"index.html"; distance:0; within:30; pcre:"/\x2f[A-Z\d]{8}\x2f/i";   metadata:service smtp;)

?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire





More information about the Snort-sigs mailing list