Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: NNTP regex 2432

From: steve () Watt COM (Steve Watt)
Date: Tue, 9 Nov 2004 01:14:14 -0800
(Sigh.  I missed it in the manual before I sent the message, but
not after...)

On Nov 9,  0:38, Steve Watt wrote:
} I'm getting a fair number of false positives on the rule that's
} watching for an NNTP post without a Path: header.  (I.e. rule
} number 2432).

I'm still getting the false positives, but...

} I think the problem is with the regex; it appears (to my eyes)
} to be somewhat broken.

My eyes are somewhat broken, I found the bit about .*? being an
ungreedy version of .*.

However, I think the real problem is that the regex is requiring
*two* newlines after the Path: header.

Changing it thus:
  pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}\n/si"

makes the alert go away.

-- 
Steve Watt KD6GGD  PP-ASEL-IA          ICBM: 121W 56' 57.8" / 37N 20' 14.9"
 Internet: steve @ Watt.COM                         Whois: SW32
   Free time?  There's no such thing.  It just comes in varying prices...


-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: