[Snort-users] sid:2318 invalid pcre match?

Alex Kirk akirk at ...1935...
Fri Jun 18 12:25:42 EDT 2010


This is actually the conclusion we had just reached over here at SF. The
rule has had that PCRE since its initial creation back in December of 2003,
and was likely written that way to deal with parser issues present in Snort
at the time. We'll update the rule to use a "normal" style delimiter
shortly.

On Fri, Jun 18, 2010 at 12:22 PM, Crook, Parker <Parker_Crook at ...14786...>wrote:

> Will,
>
> For the rule, I have:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative
> path access attempt"; flow:to_server,established; content:"Argument";
> pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR";
> reference:bugtraq,9178;
> reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack;
> sid:2318; rev:4;)
>
> but according to the new Snort manual, on page 142 the format can be:
>
> pcre:[!]"(/<regex>/|m<delim><regex><delim>)[ismxAEGRUBPHMCOIDKYS]";
>
> So using ? as the delimeter, this would appear to be a valid pcre, and
> translated into the usual format:
>
> /^Argument\s+\//smi
>
> -Parker
>
> -----Original Message-----
> From: Will Metcalf [mailto:william.metcalf at ...11827...]
> Sent: Friday, June 18, 2010 11:50 AM
> To: Snort Users
> Subject: [Snort-users] sid:2318 invalid pcre match?
>
> Can somebody else verify?  It appears that sid:2318 contains an
> invalid pcre match.  At least as far as the snort docs and pcretest
> are concerned.
>
> pcre:"m?^Argument\s+/?smi";
>
> Regards,
>
> Will
>
>
> ----------------------------------------------------------------------------
> --
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> ------------------------------------------------------------------------------
> ThinkGeek and WIRED's GeekDad team up for the Ultimate
> GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
> lucky parental unit.  See the prize list and enter to win:
> http://p.sf.net/sfu/thinkgeek-promo
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100618/09e6fac8/attachment.html>


More information about the Snort-users mailing list