[Snort-users] pattern recognition problems

Matt Kettler mkettler at ...4108...
Wed Sep 15 14:27:12 EDT 2004


At 01:48 PM 9/15/2004, Travis Kincher wrote:
>Here's an example with rule SID 2278 (WEB-MISC client negative 
>Content-Length attempt)
>--------
>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
>client negative Content-Length attempt"; flow:to_server,established; 
>content:"Content-Length|3A|"; nocase; 
>pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,9098; 
>reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; 
>classtype:misc-attack; sid:2278; rev:8;)
>--------
>So, of course, it is looking for an HTTP string containing a negative 
>content-length, i.e. "Content-Length: -1024".
>
>Here is an example of the data that apparently triggered this alert:
>--------
>HTTP/1.1 206 Partial Content..Server: Netscape-Enterprise/6.0..Date: Tue, 
>17 Aug 2004 16:09:46 GMT..Content-type: image/jpeg..Etag: 
>"506d-70ab-411a9496"..Last-modified: Wed, 11 Aug 2004 21:50:14 
>GMT..Content-length: 13019..Content-range: bytes 15824-28842/28843....
>--------
>
>My first thoughts were perhaps that PCRE was failing, but I could not find 
>any indication that this was so.  Am I missing something here and/or is 
>there a way to confirm or deny that PCRE patterns are working?


Hmm, looking at the regex, and using perl's debugger to parse it, it should 
run fine as best I can tell. It could be a pcre issue, or a snort decoding 
issue (ie: the stream4 mangling bugs from the days of old).

The only thing thing I can see wrong with your regex is that the trailing + 
after \d is pointless since it's at the end of the regex. However, that 
won't prevent it from working, it's just a minor waste of time and cpu.

sidenote: This works because /\d/ will match on a digit, and doesn't care 
what follows. /\d+/ will match one ore more digits, and doesn't care what 
follows. Both will match "1" "11111" "1111asdf" or "1asdf".

This optimization of removing a trailing + ONLY works at the end of a regex 
when no criteria follow (i.e.: /\d+\s/ is different than /\d\s/, but /\d/ 
and /\d+/ have the same set of matches.)

Similarly ranged expressions {n,m} can be reduced to non-ranged ones {n} at 
the end of any regex.

I wish I could be of help with your real problem, but I also hope my regex 
advice helps you to some degree.








More information about the Snort-users mailing list