[Snort-users] NNTP regex 2432

Steve Watt steve at ...12638...
Tue Nov 9 01:15:04 EST 2004


(Sigh.  I missed it in the manual before I sent the message, but
not after...)

On Nov 9,  0:38, Steve Watt wrote:
} I'm getting a fair number of false positives on the rule that's
} watching for an NNTP post without a Path: header.  (I.e. rule
} number 2432).

I'm still getting the false positives, but...

} I think the problem is with the regex; it appears (to my eyes)
} to be somewhat broken.

My eyes are somewhat broken, I found the bit about .*? being an
ungreedy version of .*.

However, I think the real problem is that the regex is requiring
*two* newlines after the Path: header.

Changing it thus:
  pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}\n/si"

makes the alert go away.

-- 
Steve Watt KD6GGD  PP-ASEL-IA          ICBM: 121W 56' 57.8" / 37N 20' 14.9"
 Internet: steve @ Watt.COM                         Whois: SW32
   Free time?  There's no such thing.  It just comes in varying prices...




More information about the Snort-users mailing list