[Snort-users] sid:2318 invalid pcre match?

Crook, Parker Parker_Crook at ...14786...
Fri Jun 18 12:22:35 EDT 2010


Will,

For the rule, I have:

alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative
path access attempt"; flow:to_server,established; content:"Argument";
pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178;
reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack;
sid:2318; rev:4;)

but according to the new Snort manual, on page 142 the format can be:

pcre:[!]"(/<regex>/|m<delim><regex><delim>)[ismxAEGRUBPHMCOIDKYS]";

So using ? as the delimeter, this would appear to be a valid pcre, and
translated into the usual format:

/^Argument\s+\//smi

-Parker

-----Original Message-----
From: Will Metcalf [mailto:william.metcalf at ...11827...] 
Sent: Friday, June 18, 2010 11:50 AM
To: Snort Users
Subject: [Snort-users] sid:2318 invalid pcre match?

Can somebody else verify?  It appears that sid:2318 contains an
invalid pcre match.  At least as far as the snort docs and pcretest
are concerned.

pcre:"m?^Argument\s+/?smi";

Regards,

Will

----------------------------------------------------------------------------
--
ThinkGeek and WIRED's GeekDad team up for the Ultimate 
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the 
lucky parental unit.  See the prize list and enter to win: 
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4894 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100618/87b387d6/attachment.bin>


More information about the Snort-users mailing list