[Snort-sigs] Understanding within

James Lay jlay at ...3266...
Wed Aug 15 14:37:07 EDT 2012


On 2012-08-15 12:34, Joel Esler wrote:
> On Aug 15, 2012, at 2:01 PM, James Lay <jlay at ...3266...> 
> wrote:
>> On 2012-08-15 11:41, lists at ...3397... wrote:
>>> On 08/15/12 12:33, Joel Esler wrote:
>>>> You cannot apply content keywords to pcre.
>>>>
>>>> (So, no, you can't do what you are asking)
>>>
>>> Right but he could use the /R flag (like distance:0) to make the 
>>> PCRE
>>> relative
>>> to the last content match.  You could also just PCRE-up your 
>>> within.
>>>
>>> Example:
>>>
>>> content:"bleh"; content:"blah" within:14;
>>>
>>> pcre:"/bleh[^\r\n]{0,10}blah/";
>>>
>>> PCRE version 7.8 2008-09-05
>>>
>>>  re> /bleh[^\r\n]{0,10}blah/
>>> data> blehblah
>>> 0: blehblah
>>> data> bleh1234567890blah
>>> 0: bleh1234567890blah
>>> data> bleh12345678901blah
>>> No match
>>> data>
>>
>> Thanks gents...this does help.  Not to beat a dead horse 
>> here...here's
>> the original snippet from the email:
>>
>> The reference number for this fax is <a
>> 
>> href="hxxp://pixeljunks.de/YRmJLNJv/index.html">min1_did12-1345023267-7176853217-25
>>
>> For things like this should I just forget about the within 
>> statement,
>> knowing that:
>>
>> content:"<a href=|22|http:"; fast_pattern; 
>> pcre:"/\x2f[a-z]{8}\x2f/i";
>
>
> James:
>
> SID: 22088 covers these redirection attempts.
>
> But maybe
> alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"something bad this
> way comes"; flow:to_server,established; file_data; content:"<a
> href="|22|http|3a"; content:"index.html"; distance:0; within:30;
> pcre:"/\x2f[A-Z\d]{8}\x2f/i";   metadata:service smtp;)
>
> ?
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire


Ah sheesh...thanks again gents....leave it to me to recreate the wheel 
8-|

James




More information about the Snort-sigs mailing list