[Snort-users] How to reference a $var in pcre?

Matt Kettler mkettler at ...4108...
Wed May 12 16:46:02 EDT 2004


At 05:10 PM 5/12/2004, Kirk Vogelsang wrote:
>I'm having a bit of trouble getting access to a variable within a pcre
>statement.  For example:
>
>var TEST1 "foo"
>var TEST2 "bar"
>
>alert UDP any any -> any 161 ( sid: 123; rev: 1; msg: "Test";
>   pcre: !"/\b($TEST1|$TEST2)\b/"; classtype: test:)
>
>I'm trying to test the communities of SNMP packets.  If they're not
>what they should be (foo or bar), issue an alert.
>
>Unfortunately, both incorrect and correct packets trigger this alert.
>If I replace $TEST1 and $TEST2 with the actual variable text, it works
>as expected.
>
>How does one reference var's within a pcre statement?

Actually, your question is really "how does one reference variables from 
within a string expression" (pcre, content or uricontent).

As far as I know, the answer is you don't.

You could however do this:

var TEST1 "/\b(foo|bar)\b/"

alert UDP any any -> any 161 ( sid: 123; rev: 1; msg: "Test";  pcre: 
!$TEST1; classtype: test:)

And it should work, but once you're inside the quotes, I don't think you'll 
be able to access var statements.







More information about the Snort-users mailing list