[Snort-sigs] Snort rule for a pattern match?

Shields, Joseph (NIH/NIEHS) [C] joseph.shields at ...3788...
Tue Mar 26 15:55:41 EDT 2013


James,
   The traffic could be on most any port, though it likely will be web.  I think PCRE would be possible if the PERL look ahead with calc capability is supported.  I've not seen anything showing this implementation.  Namely, (?{ code }).

Brian

From: Lay, James [mailto:james.lay at ...3513...]
Sent: Tuesday, March 26, 2013 3:29 PM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Snort rule for a pattern match?

From: Shields, Joseph (NIH/NIEHS) [C] [mailto:joseph.shields at ...3788...]
Sent: Tuesday, March 26, 2013 12:02 PM
To: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...3414...t>
Subject: Re: [Snort-sigs] Snort rule for a pattern match?

I'm reposting this question as I have not seen any responses yet.  Perhaps this can't be done at this time.

Brian

I am looking for a pattern that identifies a threat I am tracking and need to write a signature to find it.  The problem is that I don't know what the starting character will be but I will always know what the difference between two given characters will be.

A simple, human readable, example is:

ABCDTSRQ

The difference between each character is:

[A] is 1 SMALLER than [B] is 1 SMALLER than [C] is 1 SMALLER than [D] is 16 SMALLER than [T] is 1 BIGGER than [S] is 1 BIGGER than [R] is 1 BIGGER than [Q]

The pattern in this example is -1,-1,-1,-16,+1,+1,+1.

BCDEXWVU would match this pattern and so would HIJKZXYW.

How can I write this rule?

Brian

Brian,

What port are we talking here?  If this is port 80 then ick, but if it's something obscure it could be as simple as a pcre and we could forego the computations:

pcre:"/[A-Z]{7}/";

Got a pcap or is there ANYTHING that's a constant that we can also match on?

James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130326/b4cbf3c8/attachment.html>


More information about the Snort-sigs mailing list