Snort rules regex matching

regex pcre snort
16,267

Solution 1

The (slightly crazy) syntax is pcre:"/regex/flags". The parentheses you wanted to put in there are superfluous anyway. You also need to escape any slash which is part of the actual regex, like in the example.

alert tcp any any -> any any(msg:"PDF is being downloaded"; pcre:"/.*site\/year\d\d\d\d.pdf/i"; sid: 100003; rev:3;)

... though probably you should remove the superfluous wildcard .* and add an anchor $ at the end, and also escape the dot to make it literal. You might also want to use a quantifier to specify exactly four repetitions of a digit.

alert tcp any any -> any any(msg:"PDF is being downloaded"; pcre:"/site\/year\d{4}\.pdf$/i"; sid: 100003; rev:3;)

Are you really sure you want the /i flag to make the match case-insensitive?

Solution 2

As tripleee mentioned, your parentheses were misplaced... but I also think that it's worth mentioning that since these are Perl regular expressions, you have some flexibility in the delimiters that you're using for the regular expression:

The syntax

pcre:[!]"(/<regex>/|m<delim><regex><delim>)[ismxAEGRUBPHMCOIDKYS]";

indicates that instead of using the traditional / delimiter, you may use the m operator (short for 'match'), followed by alternate delimiters... I'm using [ and ] in this case:

msg:"PDF is being downloaded"; pcre:"m[site/year\d{4}\.pdf$]i"; sid: 100003; rev:3;)

This doesn't buy you much in this particular case (because you're only one directory deep), but a more deeply nested directory would quickly become unreadable with all of the escaped / characters.

Share:
16,267
Babar
Author by

Babar

Updated on June 28, 2022

Comments

  • Babar
    Babar almost 2 years

    I want to generate an event in snort whenever someone visits a URL structured like

    site/year2015.pdf
site/year2014.pdf
:
:
site/year2000.pdf

    Instead of writing multiple snort rules as more URLs will be added over years I thought of utilizing PERC. The rule is written as.

    alert tcp any any -> any any(msg:"PDF is being downloaded"; pcre:"(/.*site\/year\d\d\d\d\.pdf)/i"; sid: 100003; rev:3;)

    I tried many different ways of inserting the regex in the rule above but it always fails to parse it. The Regex is doing fine what I want it to do here. The whole thing starts to fail because it does not start cause of rule not being parsed.

    Error received is

    Error: /etc/snort/rules/assignment.rules Line 3 => unable to parse pcre regex "(/.*site\/year\d\d\d\d\.pdf)/i"
Fatal Error Quitting..
  • Babar
    Babar almost 9 years
    Hmm... I am new to regex with Perl. And just the rule parsing was a triumph, but the rule is still not triggering any event. :(

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

PHP PCRE (regex) doesn't support UTF-8?
Getting all attributes from an <a> HTML tag with regex
How can I restrict some special characters only in PHP?
regex match after word
extract word with regular expression
How do I extract words from a comma-delimited string in Perl?
PHP PREG Regex: What does "\W" mean when using the UTF-8 modifier?
Find out subdomain using Regular Expression in PHP
How to check if a string only contains A-Z, a-z and 0-9?
pcregrep is not matching regex (multiline?)