Re: Adding Regex into Snort rule

[Charlie Egan <chas5873 () gmail com>]

Cheers for getting back to me Nick,

That makes complete sense, I've been looking into using the isdataat
option, and from what I understand it will look for a content match however
many bytes that you specify further on to the initial content match? I'm
not at my machine at the moment with Snort on, so can't play around with it
until tomorrow unfortunately.

Would it fit into my rule something like the following? Would appreciate it
if you can point out if anything's wrong!

alert tcp any any -> any any (content:"|90 90 90 90 90 90 90 90|"; depth:8;
isdataat:50, msg:"Buffer Overflow Attempt"; flow:to_server,established;
classtype:misc-attack; sid:1000001; rev:1;)

Cheers


On Mon, Jun 16, 2014 at 10:51 PM, Nicholas Mavis (nmavis) <nmavis () cisco com>
wrote:

>  Charlie,
>
>  It is also important to note that while a rule may appear more
> “advanced" using a PCRE, that is not always the case. I would define an
> advanced rule as something that is not prone to false positives and at the
> same time yields very good performance within Snort. PCRE’s are the most
> expensive rule option and should only be used if necessary. Typically, a
> good rule option for dealing with buffer overflows instead of using a pcre
> would be “isdataat”.
>
>  Just keep in mind that while something may look more “advanced", that
> doesn’t mean it is.
>
>  -Nick
>
>   From: Charlie Egan <chas5873 () gmail com>
> Date: Sunday, June 15, 2014 at 10:25 AM
> To: Nathan Fowler <nathan () packetmail net>
> Cc: "snort-sigs () lists sourceforge net" <snort-sigs () lists sourceforge net>
> Subject: Re: [Snort-sigs] Adding Regex into Snort rule
>
>     Thanks for the reply Nathan,
>
>  I'm actually a beginner when it comes to Snort and regex's. I was
> thinking of just adding something a long the lines of pcre:".{90,}";
> because anything with that amount of characters is bound to be a buffer
> overflow in this case if I'm correct?
>
>  This is for a project I'm currently doing, so the more advanced I can
> make my rules the better, although I definitely need to do a bit more
> research as the stuff about the HTTP POST to a 8-byte hex URI has confused
> me haha.
>
>  Cheers
>
>
>
>
> On Sun, Jun 15, 2014 at 2:58 AM, Nathan Fowler <nathan () packetmail net>
> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On 06/14/14 16:51, Charlie Egan wrote:
> > > When I'm reloading Snort after adding my regex, it's not loading
> > > and giving me an error. If anyone could point me in the right
> > > direction of what the problem is, it would be much appreciated!
> >
> >  Mind sharing your PCRE?  Are you also using the / delimeters?
> >
> > Here's an example, lets say I want to detect on HTTP POST to an 8-byte
> > hex URI, I would do this:
> >
> > content:"POST"; http_method; urilen:9,norm; pcre:"/^\/[A-Fa-f0-9]{8}$/U";
> >
> > This help?
> >
> > Cheers,
> > Nathan
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIcBAEBAgAGBQJTnP3gAAoJEH0PSwc3CF1w2GQQAKdy4F2Z+EQnMcT6NmdVNtlf
> > FkJzhEyl3R5qSMC04IJkF0fXqoSA/2vgT03nlyAffpMVAl7+TjyfyPFbYiTcdwnH
> > ZZ1Nqit/cYLYRqgp7bVEdsyAK+E1al8f3c4NJ4BsNzgYl2A6ZHPDmomjFPjqGtqo
> > //8K4jL4/GUkaNf3Kr8sS4Z+EJXB9loGpmaMkIqncuICVpZbCfX+CY8DECoXXFOf
> > tP8a4egCNdBhZ1G8uXAOkXNOas9yOFaSi1S7A4YSapqnmULPIPxj+eay3N2ysuht
> > xH+PSMI9SDxLMD2yfkPPup9MCRfE76EnqLqZHneq39wO5PdKjDbD9MqOzLtzUzXn
> > yzmVu+J2aLqdqf4fpe/yiGdpXcxNa8nllSmWhXV+d8A/EykUDDs9qk2nTe0de2xg
> > SsBL2DcOYBDrWqtGjaXJtbrAP0Rl0XSUkitFHxFTdHQVRYbvPB8nQGe9rJonw14u
> > q+6e3q/6xLRKEOHkMcyHa94ENExio2E15qPLBntYHrGbbmFhgfDty8KrKookR2z9
> > xUJMzbLF9Y/IqZqTVtoEkorzyfdCLJuJr4VUv8+Jk0GgAbJZAzdIS5cRRJ1IZqmZ
> > dlsi8DU15FEcohs600sDI0Mkq91JroWQE9B1KqsmmrBSf/JRzLnVF5aa1VzNQLig
> > IS7I2jp/cS4iXrrnlZAX
> > =20f1
> > -----END PGP SIGNATURE-----
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!