[Snort-users] How to reference a $var in pcre?
mkettler at ...4108...
Wed May 12 16:46:02 EDT 2004
At 05:10 PM 5/12/2004, Kirk Vogelsang wrote:
>I'm having a bit of trouble getting access to a variable within a pcre
>statement. For example:
>var TEST1 "foo"
>var TEST2 "bar"
>alert UDP any any -> any 161 ( sid: 123; rev: 1; msg: "Test";
> pcre: !"/\b($TEST1|$TEST2)\b/"; classtype: test:)
>I'm trying to test the communities of SNMP packets. If they're not
>what they should be (foo or bar), issue an alert.
>Unfortunately, both incorrect and correct packets trigger this alert.
>If I replace $TEST1 and $TEST2 with the actual variable text, it works
>How does one reference var's within a pcre statement?
Actually, your question is really "how does one reference variables from
within a string expression" (pcre, content or uricontent).
As far as I know, the answer is you don't.
You could however do this:
var TEST1 "/\b(foo|bar)\b/"
alert UDP any any -> any 161 ( sid: 123; rev: 1; msg: "Test"; pcre:
!$TEST1; classtype: test:)
And it should work, but once you're inside the quotes, I don't think you'll
be able to access var statements.
More information about the Snort-users