[Snort-sigs] Issue with pcre

lists at ...3397... lists at ...3397...
Mon Oct 6 16:41:13 EDT 2014


On 10/06/2014 03:35 PM, Sean Cavanaugh wrote:
> Good afternoon all,
> 
> I am relatively new to writing Snort sigs and have been having some issues with
> loading the rule shown below into our Sourcefire IPS, but receive the error
> message "...unable to parse pcre regex "trackback\/$/EiU".
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Trackback attempt";
> flow:established,to_server; content:"POST"; http_method;
> uricontent:"/trackback/"; nocase; pcre:"\/trackback\/$/EiU"; sid:xxxxxxx;)

You're missing the first \x2f, try this:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Trackback attempt";
flow:established,to_server; content:"POST"; http_method;
content:"/trackback/"; http_uri; fast_pattern:only; pcre:"/\/trackback\/$/Ui";
classtype:bad-unknown; sid:xxxxxxx;)

Cheers,
Nathan




More information about the Snort-sigs mailing list