[Snort-users] pattern recognition problems

Travis Kincher travis at ...4877...
Wed Sep 15 11:15:45 EDT 2004


I'm running Snort-2.2.0, FreeBSD 5.2.1, and my problem, it appears, is 
that patterns are not matching correctly.

Here's an example with rule SID 2278 (WEB-MISC client negative 
Content-Length attempt)
--------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
client negative Content-Length attempt"; flow:to_server,established; 
content:"Content-Length|3A|"; nocase; 
pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,9098; 
reference:bugtraq,9476; reference:bugtraq,9576; 
reference:cve,2004-0095; classtype:misc-attack; sid:2278; rev:8;)
--------
So, of course, it is looking for an HTTP string containing a negative 
content-length, i.e. "Content-Length: -1024".

Here is an example of the data that apparently triggered this alert:
--------
HTTP/1.1 206 Partial Content..Server: Netscape-Enterprise/6.0..Date: 
Tue, 17 Aug 2004 16:09:46 GMT..Content-type: image/jpeg..Etag: 
"506d-70ab-411a9496"..Last-modified: Wed, 11 Aug 2004 21:50:14 
GMT..Content-length: 13019..Content-range: bytes 15824-28842/28843....
--------

My first thoughts were perhaps that PCRE was failing, but I could not 
find any indication that this was so.  Am I missing something here 
and/or is there a way to confirm or deny that PCRE patterns are 
working?  Searched the docs and the archives, but I failed to find 
anything relevant.  Any ideas appreciated.

Regards,
Travis Kincher
InfoGroup Northwest





More information about the Snort-users mailing list