Dailydave: Re: Testing the quickness of signature writers

[Brian Caswell <bmc () snort org>]

On May 2, 2006, at 10:39 AM, Dave Aitel wrote:
> That's a bit like getting a hole in one....on the wrong hole. Seeing
> as how I also thought it was April, when it's clearly May, we'll give
> you a half point here for effort.
An attempt to be cute, but failed.  If you are VRT rule subscriber,  
you could have got the rule that would detect BABYBOTTLE April 12th.
http://www.snort.org/rules/advisories/vrt-rules-2006-04-12.html

> Does your script break if I shove a space in between the \x3b and the
> \x26?
No.   \x3b and \x26 are URI param delimiters.  By putting a space at  
the wrong place, either the param will be broken.  " module" is not  
the same as "module", or the underlying php would not work, which is  
ok for us to alert on as well, eg "module= foo" (note the space).
> I try to understand snort signatures, but they're essentially
> optimized to be exactly the opposite of what my brain can handle. PCRE
> is here
> http://www.snort.org/docs/snort_manual/ 
> node21.html#SECTION004510000000000000000
> but maybe I'm not seeing it right.
The pcre rule option is a regular expression, using libpcre, the same  
regular expression library that Python (and thus CANVAS) uses.
> "/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U
Lets take a look at the RE in baby steps.

[?\x3b\x26]module

Look the uri param "module".  This would detect:

   ?module
       or
   foo=bar;module
      or
   foo=bar&module

What we have left is handling of the args.  "=[a-zA-Z0-9]*[^\x3b\x26]".

What the rest of this says is:

	skip alphanumeric characters.  Then match if anything other than ;  
or & shows up.
So:

    =passthru(...)

By using this method, we don't alert on any "normal" modules.   
Plugins can use the same interface, and users can write their own  
plugins, so we can't just enumerate the acceptable modules.  By  
writing the rule as above, anything other than alphanumeric text as a  
value for the module param will alert.
Brian