[Snort-sigs] Rule assist

James Lay jlay at ...3266...
Tue Mar 12 17:10:50 EDT 2013


On 2013-03-12 10:01, James Lay wrote:
> Hey all,
>
> Been trying to get this rule:
>
> alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"EXPLOIT-KIT 
> Possible
> BEK host lookup"; content:!"in-addr"; content:"|01 00 00 01 00 00 00 
> 00
> 00 00|"; depth:10; offset:2; content:"|02|"; within:1;
> pcre:"/\x02[0-9]{2}/m";
> reference:url,https://urlquery.net/report.php?id=1313067;
> classtype:bad-unknown; sid:10000044; rev:1;)
>
> To match and it's working, but I would like to tighten it up.  
> Payload:
>
> 00000000  fd 64 01 00 00 01 00 00  00 00 00 00 02 32 30 10 .d......
> .....20.
> 00000010  70 68 63 63 6f 66 63 61  6c 69 66 6f 72 6e 69 61 phccofca
> lifornia
> 00000020  03 63 6f 6d 00 00 01 00  01                      .com.... .
>
> It always amazes me when I work with the pcre: function how little I
> understand it ;)  I always want to treat it like a content: and start
> applying things like depth: and offset:.  That being said, if I add a 
> R
> to my pcre, it doesn't fire, which I don't understand.  I understand 
> R
> as a pcre: modifier to match the relative end of the last pattern 
> match,
> which in my case would be matching the |02| yes?  What am I missing 
> in
> my logic?  Thanks all.
>

Thanks gents for the responses...rule may not be good and FP a lot, but 
very educational :)

James




More information about the Snort-sigs mailing list