[Snort-sigs] Snort rule for a pattern match?

Lay, James james.lay at ...3513...
Tue Mar 26 15:28:50 EDT 2013


From: Shields, Joseph (NIH/NIEHS) [C] [mailto:joseph.shields at ...3788...] 
Sent: Tuesday, March 26, 2013 12:02 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Snort rule for a pattern match?

 

I'm reposting this question as I have not seen any responses yet.
Perhaps this can't be done at this time.

 

Brian

 

I am looking for a pattern that identifies a threat I am tracking and
need to write a signature to find it.  The problem is that I don't know
what the starting character will be but I will always know what the
difference between two given characters will be.

 

A simple, human readable, example is:

 

ABCDTSRQ

 

The difference between each character is:

 

[A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is
16 SMALLER than [T] is 1 BIGGER than [S] is 1 BIGGER than [R] is 1
BIGGER than [Q]

 

The pattern in this example is -1,-1,-1,-16,+1,+1,+1.

 

BCDEXWVU would match this pattern and so would HIJKZXYW.

 

How can I write this rule?

 

Brian


Brian,

 

What port are we talking here?  If this is port 80 then ick, but if it's
something obscure it could be as simple as a pcre and we could forego
the computations:

 

pcre:"/[A-Z]{7}/";

 

Got a pcap or is there ANYTHING that's a constant that we can also match
on?

 

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130326/e34d0f04/attachment.html>


More information about the Snort-sigs mailing list