[Snort-users] How to reference a $var in pcre?

Kirk Vogelsang kvogelsa at ...2692...
Wed May 12 14:11:09 EDT 2004


I'm having a bit of trouble getting access to a variable within a pcre
statement.  For example:

var TEST1 "foo"
var TEST2 "bar"

alert UDP any any -> any 161 ( sid: 123; rev: 1; msg: "Test";
  pcre: !"/\b($TEST1|$TEST2)\b/"; classtype: test:)

I'm trying to test the communities of SNMP packets.  If they're not
what they should be (foo or bar), issue an alert.

Unfortunately, both incorrect and correct packets trigger this alert.
If I replace $TEST1 and $TEST2 with the actual variable text, it works
as expected.

How does one reference var's within a pcre statement?

-----
Kirk M. Vogelsang <kvogelsa at ...2692...>
Northeastern University College of Computer Science




More information about the Snort-users mailing list