[Snort-sigs] Matching the beginning or end of a (preprocessor) content buffer

Mike Cox mike.cox52 at ...2420...
Wed Nov 7 16:22:03 EST 2012

AFIK, it isn't possible to do this without a PCRE but I though I'd
ask: is is possible to tell a preprocessor content buffer (like
http_uri) to match at the end (or beginning) of the buffer without
using a PCRE?

For example, let's say I want to match the URI 'bad.pdf".  I know this
will be at the end of the URI (and thus the end of the http_uri
buffer) and I want to match that specifically so I don't also get
alerts on things like "/bad.pdfoobar/index.aspx".

Normally I'd just do this:

content:"/bad.pdf"; http_uri;

But I know that this will be at the end of the URI buffer and I don't
want to do a PCRE as well to ensure this due to performance concerns.

It seems like this ability would be moderately easy to build into the
engine and computationally trivial as far as performance goes.  Maybe
have something like, "http_uri:end", "http_uri:beginning",
"http_uri:beginning,end", http_cookie:end", etc. or have special
characters (that would otherwise have to be escaped) to indicate that
you want to match on the beginning or end of the buffer.

Just a thought since you guys are re-writing the http-inspect
preprocessor :)  Joel, feel free to send to snort-dev, I don't think
I'm on that list.


-Mike Cox

More information about the Snort-sigs mailing list