[Snort-sigs] Issue with pcre

Sean Cavanaugh sean.cavanaugh at ...3959...
Mon Oct 6 17:10:02 EDT 2014


Thank you Nate, your suggested changes appear to have worked! Only thing 
it complained about was using fast_pattern:only. I removed the "only" 
part and it accepted the rule.

Thanks again for your help!

-Sean

On 10/06/2014 04:41 PM, lists at ...3397... wrote:
> On 10/06/2014 03:35 PM, Sean Cavanaugh wrote:
>> Good afternoon all,
>>
>> I am relatively new to writing Snort sigs and have been having some issues with
>> loading the rule shown below into our Sourcefire IPS, but receive the error
>> message "...unable to parse pcre regex "trackback\/$/EiU".
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Trackback attempt";
>> flow:established,to_server; content:"POST"; http_method;
>> uricontent:"/trackback/"; nocase; pcre:"\/trackback\/$/EiU"; sid:xxxxxxx;)
> You're missing the first \x2f, try this:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Trackback attempt";
> flow:established,to_server; content:"POST"; http_method;
> content:"/trackback/"; http_uri; fast_pattern:only; pcre:"/\/trackback\/$/Ui";
> classtype:bad-unknown; sid:xxxxxxx;)
>
> Cheers,
> Nathan
>
> ------------------------------------------------------------------------------
> Slashdot TV.  Videos for Nerds.  Stuff that Matters.
> http://pubads.g.doubleclick.net/gampad/clk?id=160591471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4654 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141006/44d0c031/attachment.bin>


More information about the Snort-sigs mailing list