[Snort-sigs] Issue with pcre

Sean Cavanaugh sean.cavanaugh at ...3959...
Mon Oct 6 16:35:09 EDT 2014


Good afternoon all,

I am relatively new to writing Snort sigs and have been having some 
issues with loading the rule shown below into our Sourcefire IPS, but 
receive the error message "...unable to parse pcre regex 
"trackback\/$/EiU".

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Trackback 
attempt"; flow:established,to_server; content:"POST"; http_method; 
uricontent:"/trackback/"; nocase; pcre:"\/trackback\/$/EiU"; sid:xxxxxxx;)

I am attempting to be alerted when the string "/trackback/" is at the 
end of the URI for a POST to our web server. I have tried a few 
variations of the rule but nothing I have done seems to take.

Thank you,

-Sean






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141006/d2e53997/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4654 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141006/d2e53997/attachment.bin>


More information about the Snort-sigs mailing list