[Snort-users] sid:2318 invalid pcre match?

Crook, Parker Parker_Crook at ...14786...
Fri Jun 18 12:22:35 EDT 2010


For the rule, I have:

alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative
path access attempt"; flow:to_server,established; content:"Argument";
pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178;
reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack;
sid:2318; rev:4;)

but according to the new Snort manual, on page 142 the format can be:


So using ? as the delimeter, this would appear to be a valid pcre, and
translated into the usual format:



-----Original Message-----
From: Will Metcalf [mailto:william.metcalf at ...11827...] 
Sent: Friday, June 18, 2010 11:50 AM
To: Snort Users
Subject: [Snort-users] sid:2318 invalid pcre match?

Can somebody else verify?  It appears that sid:2318 contains an
invalid pcre match.  At least as far as the snort docs and pcretest
are concerned.




ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4894 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100618/87b387d6/attachment.bin>

More information about the Snort-users mailing list