Snort mailing list archives

Previous By Date Next
Previous By Thread Next

pattern recognition problems

From: Travis Kincher <travis () ignw com>
Date: Wed, 15 Sep 2004 10:48:47 -0700
I'm running Snort-2.2.0, FreeBSD 5.2.1, and my problem, it appears, is that patterns are not matching correctly.
Here's an example with rule SID 2278 (WEB-MISC client negative Content-Length attempt) 
--------
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC client negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; classtype:misc-attack; sid:2278; rev:8;) 
--------
So, of course, it is looking for an HTTP string containing a negative content-length, i.e. "Content-Length: -1024". 

Here is an example of the data that apparently triggered this alert:
--------
HTTP/1.1 206 Partial Content..Server: Netscape-Enterprise/6.0..Date: Tue, 17 Aug 2004 16:09:46 GMT..Content-type: image/jpeg..Etag: "506d-70ab-411a9496"..Last-modified: Wed, 11 Aug 2004 21:50:14 GMT..Content-length: 13019..Content-range: bytes 15824-28842/28843.... 
--------
My first thoughts were perhaps that PCRE was failing, but I could not find any indication that this was so. Am I missing something here and/or is there a way to confirm or deny that PCRE patterns are working? Searched the docs and the archives, but I failed to find anything relevant. Any ideas appreciated. 

Regards,
Travis Kincher
InfoGroup Northwest



-------------------------------------------------------
This SF.Net email is sponsored by: thawte's Crypto Challenge Vl
Crack the code and win a Sony DCRHC40 MiniDV Digital Handycam
Camcorder. More prizes in the weekly Lunch Hour Challenge.
Sign up NOW http://ad.doubleclick.net/clk;10740251;10262165;m
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: