Dailydave: Re: Testing the quickness of signature writers

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Dailydave mailing list archives

Re: Testing the quickness of signature writers

From: Brian Caswell <bmc () snort org>
Date: Tue, 2 May 2006 14:51:06 -0400

On May 2, 2006, at 2:20 PM, M. Shirk wrote:

>> pcre:"/[\? \x3b\x26]module=[a-zA-Z0-9]*[^\x3b\x26]/U";
A forward slash, followed by any one char from the set ('?',';', '&')followed by the literal text "module=" followed by any number(zero or more)alphanumerics followed by any char that is neither ';' nor '&'.All matched
against the decoded URI buffer.
That space after the \? will be evaluated in the character set andthe forward slash acts as the bracket for the pcre expression.

In the rule I originally sent, there was no space in the characterset. Probably added accidentally when dave copied it in his response.


Brian

By Date By Thread

Current thread:

Re: Testing the quickness of signature writers, (continued)
- Re: Testing the quickness of signature writers Brian Caswell (May 01)
  - Re: Testing the quickness of signature writers Dave Aitel (May 02)
    - RE: Testing the quickness of signature writers Dave Korn (May 02)
    - RE: Testing the quickness of signature writers M. Shirk (May 02)
    - Re: Testing the quickness of signature writers Dave Aitel (May 02)
    - Re: Testing the quickness of signature writers Brian Caswell (May 02)
    - RE: Testing the quickness of signature writers Dave Korn (May 02)
    - Re: Testing the quickness of signature writers Brian Caswell (May 02)