Writing Snort Rules A quick guide Brian Caswell. 2 The life of a packet through Snort’s detection engine.

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

Snort Rule Wireless/Mobile network LAB 박준석. Snort Rules  Snort Rule simple, lightweight, flexible, powerful simple, lightweight, flexible, powerful 
Snort: Overview Chris Copeland What is an Intrusion Detection System (IDS)? An intrusion detection system is any system which can identify a network.
Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
Introduction1-1 message segment datagram frame source application transport network link physical HtHt HnHn HlHl M HtHt HnHn M HtHt M M destination application.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Instructor: Sam Nanavaty TCP/IP protocol. Instructor: Sam Nanavaty Version – Allows for the evolution of the protocol IHL (Internet header length) – Length.
Snort - Open Source Network Intrusion Detection System Survey.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.
Modified slides from Martin Roesch Sourcefire Inc.
Source Port # (16)Destination Port # (16) Sequence Number (32 bits) Acknowledgement Number (32 bits) Hdr Len (4) Flags (6)Window Size (16) Options (if.
CIS 193A – Lesson12 Monitoring Tools. CIS 193A – Lesson12 Focus Question What are the common ways of specifying network packets used in tcpdump, wireshark,
USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.
Polytechnic University Introduction 1 Intrusion Detection Systems Examples of IDSs in real life r Car alarms r Fire detectors r House alarms r Surveillance.
Penetration Testing Security Analysis and Advanced Tools: Snort.
 Text Manipulation and Data Collection. General Programming Practice Find a string within a text Find a string ‘man’ from a ‘A successful man’
Computer Programming for Biologists Class 5 Nov 20 st, 2014 Karsten Hokamp
Regular Expressions in Perl Part I Alan Gold. Basic syntax =~ is the matching operator !~ is the negated matching operator // are the default delimiters.
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Snort & Nmap Mike O’Connor Eric Tallman Matt Yasiejko.
Perl and Regular Expressions Regular Expressions are available as part of the programming languages Java, JScript, Visual Basic and VBScript, JavaScript,
Cs490ns - cotter1 Snort Intrusion Detection System
1 CSC 594 Topics in AI – Text Mining and Analytics Fall 2015/16 4. Document Search and Regular Expressions.
Regular Expressions.
Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version
Regular Expressions in PHP. Supported RE’s The most important set of regex functions start with preg. These functions are a PHP wrapper around the PCRE.
When you read a sentence, your mind breaks it into tokens—individual words and punctuation marks that convey meaning. Compilers also perform tokenization.
Regular Expressions. Overview Regular expressions allow you to do complex searches within text documents. Examples: Search 8-K filings for restatements.
Washington WASHINGTON UNIVERSITY IN ST LOUIS Fred Kuhns Applied Research Laboratory NSP packet Formats.
Introduction to Lex Ying-Hung Jiang
Internet Protocol Formats. IP (V4) Packet byte 0 byte1 byte 2 byte 3 data... – up to 65 K including heading info Version IHL Serv. Type Total Length Identifcation.
Decoding an IP Header (1)
Advanced IDS Brian Caswell & Jeff Nathan. Kung Fu IDS Brian Caswell Jeff Nathan
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
Detecting Evasion Attack at High Speed without Reassembly.
CS 330 Programming Languages 10 / 02 / 2007 Instructor: Michael Eckmann.
Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA
Intrusion Detection & Snort Dan Fleck, PhD
Strings and Related Classes String and character processing Class java.lang.String Class java.lang.StringBuffer Class java.lang.Character Class java.util.StringTokenizer.
Standard Types and Regular Expressions CS 480/680 – Comparative Languages.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
An Introduction to Regular Expressions Specifying a Pattern that a String must meet.
Network Intrusion Detection System (NIDS)
Pattern Matching: Simple Patterns. Introduction Programmers often need to scan a file, directory, etc. for a specific substring. –Find all files that.
Lecture 21: Network Primer 7/9/2003 CSCE 590 Summer 2003.
CS 330 Programming Languages 09 / 30 / 2008 Instructor: Michael Eckmann.
Snort – network intrusion detection system 2008 Lab seminars June 2, 2008 Laziz Yunusov Advanced Networking Technology Lab. (YU-ANTL) Dept. of Information.
An Introduction To Gateway Intrusion Detection Systems Hogwash GIDS Jed Haile Nitro Data Systems.
Midterm Review October Closed book one hand written page of notes of your own making October Closed book one hand written page of notes of.
Snort – IDS / IPS.
Multiplexing.
FortiGate IPS operation training
Hping2.
Internet Protocol Formats
Learning Snort Rules by Capturing Intrusions In Live Network Traffic
Learning Snort Rules by Capturing Intrusions In Live Network Traffic
SNORT.
Intrusion Detection Systems
Internet Protocol Formats
46 to 1500 bytes TYPE CODE CHECKSUM IDENTIFIER SEQUENCE NUMBER OPTIONAL DATA ICMP Echo message.
SNORT RULES.
A Hybrid Finite Automaton for Practical Deep Packet Inspection
Intrusion Detection Systems
Presentation transcript:

Writing Snort Rules A quick guide Brian Caswell

2 The life of a packet through Snort’s detection engine

3 Writing Snort Rules Figure out what is "bad" Capture traffic that includes the "bad stuff" Learn the protocol Figure out why the "bad stuff" is bad Write a rule Test the rule Figure out what is "bad" Capture traffic that includes the "bad stuff" Learn the protocol Figure out why the "bad stuff" is bad Write a rule Test the rule

4 More process Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule

5 Even more process Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule Rewrite the rule Test the rule

6 Rule Format - basic rule alert tcp any -> (msg:"foo"; content:"bar";)

7 Rule Format – Action alert tcp any -> (msg:"foo"; content:"bar";) Tells snort what the rule does –In our product alert pass –In snort alert log pass activate dynamic –In snort-inline alert log pass activate dynamic drop sdrop alert tcp any -> (msg:"foo"; content:"bar";) Tells snort what the rule does –In our product alert pass –In snort alert log pass activate dynamic –In snort-inline alert log pass activate dynamic drop sdrop

8 Rule Format – Custom Actions not supported in product ruletype suspicious { type log output log_tcpdump: suspicious.log } suspicious tcp any -> (msg:"foo"; content:"bar";) not supported in product ruletype suspicious { type log output log_tcpdump: suspicious.log } suspicious tcp any -> (msg:"foo"; content:"bar";)

9 Rule Format – Protocol alert tcp any -> (msg:"foo"; content:"bar";) Tells snort to look for a specific protocol Acceptable protocols: –TCP –UDP –ICMP –IP alert tcp any -> (msg:"foo"; content:"bar";) Tells snort to look for a specific protocol Acceptable protocols: –TCP –UDP –ICMP –IP

10 Rule Format - IP Address alert tcp any -> (msg:"foo"; content:"bar";) Examples duh / through ! /24 anything but through [ /24, /24] through or through ![ /24, /24] anything but through or through alert tcp any -> (msg:"foo"; content:"bar";) Examples duh / through ! /24 anything but through [ /24, /24] through or through ![ /24, /24] anything but through or through

11 Rule Format - Port alert tcp any -> (msg:"foo"; content:"bar";) Examples: any 80 1: through 1023 (inclusive) :1023 less than or equal to : greater than or equal to 10 !53 not 53 !53:100 not 53 through 100 (inclusive) NOTE: NO PORT LISTS. 80,8080 IS NOT VALID!!!! alert tcp any -> (msg:"foo"; content:"bar";) Examples: any 80 1: through 1023 (inclusive) :1023 less than or equal to : greater than or equal to 10 !53 not 53 !53:100 not 53 through 100 (inclusive) NOTE: NO PORT LISTS. 80,8080 IS NOT VALID!!!!

12 Rule Format - Direction alert tcp any -> (msg:"foo"; content:"bar";) -> –From the first IP/Port to the second IP/Port <> From either the first IP/Port to the second IP/Port OR From either the first IP/Port to the second IP/Port alert tcp any -> (msg:"foo"; content:"bar";) -> –From the first IP/Port to the second IP/Port <> From either the first IP/Port to the second IP/Port OR From either the first IP/Port to the second IP/Port

13 Rule Format -... Oh yeah, variables var EXTERNAL_NET any var HTTP_PORTS 80 var SMTP_SERVERS alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $HTTP_PORTS var EXTERNAL_NET any var HTTP_PORTS 80 var SMTP_SERVERS alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS $HTTP_PORTS

14 Rule Format – Body alert tcp any -> (msg:"foo"; content:"bar";) meat of the detection capabilities key value pairs (key:value;) types of keywords meta-data Payload non-payload post-detection alert tcp any -> (msg:"foo"; content:"bar";) meat of the detection capabilities key value pairs (key:value;) types of keywords meta-data Payload non-payload post-detection

15 Meta-Data keywords Msg –msg:"my evil attack"; Reference –reference:url, sid –sid:100000; Rev –rev:100000; Classtype (see classification.config) –classtype:attempted-recon; Priority –priority:3; Msg –msg:"my evil attack"; Reference –reference:url, sid –sid:100000; Rev –rev:100000; Classtype (see classification.config) –classtype:attempted-recon; Priority –priority:3;

16 Payload Content –content:"foo"; Nocase –content:"foo"; nocase; Rawbytes –content:"foo"; rawbytes; Depth –content:"foo"; depth:10; Offset –content:"foo"; offset:10; Uricontent –uricontent:"foo"; Content –content:"foo"; Nocase –content:"foo"; nocase; Rawbytes –content:"foo"; rawbytes; Depth –content:"foo"; depth:10; Offset –content:"foo"; offset:10; Uricontent –uricontent:"foo";

17 Complicated Payload Options distance Within Isdataat byte_test byte_jump pcre distance Within Isdataat byte_test byte_jump pcre

18 Broken Payload Keywords Regex content-list rpc Regex content-list rpc

19 Non-Payload options: ack (TCP Acknowledge Number) –ack:0; dsize (Packet Size) –dsize:>10; id (IP ID) –id:10; fragoffset (fragment offset) –fragoffset:0; fragbits (IP fragment bits) –fragbits:MD; ack (TCP Acknowledge Number) –ack:0; dsize (Packet Size) –dsize:>10; id (IP ID) –id:10; fragoffset (fragment offset) –fragoffset:0; fragbits (IP fragment bits) –fragbits:MD;

20 More non-payload options ttl (IP Time To Live) –ttl:1; tos (IP TOS) –tos:30; ipopts (IP option) –ipopts:lsrr; flags (TCP flags) –flags:SF; flow (TCP State) –flow:to_server,established; ttl (IP Time To Live) –ttl:1; tos (IP TOS) –tos:30; ipopts (IP option) –ipopts:lsrr; flags (TCP flags) –flags:SF; flow (TCP State) –flow:to_server,established;

21 Even more non-payload options: seq (TCP Sequence Number) –seq:0; ttl (IP Time To Live) –ttl:10; window (TCP Window Size) –window:55808; itype (ICMP Type) –itype:8; icode (ICMP Code) –icode:0; seq (TCP Sequence Number) –seq:0; ttl (IP Time To Live) –ttl:10; window (TCP Window Size) –window:55808; itype (ICMP Type) –itype:8; icode (ICMP Code) –icode:0;

22 Even more non-payload options (again) icmp_id (ICMP ID) –icmp_id:0; icmp_seq (ICMP Sequence Number) –icmp_seq:0; ip_proto (IP Protocol) –ip_proto:6; sameip (Are the IPs the same) –sameip; stateless (Not part of a flow) –stateless; icmp_id (ICMP ID) –icmp_id:0; icmp_seq (ICMP Sequence Number) –icmp_seq:0; ip_proto (IP Protocol) –ip_proto:6; sameip (Are the IPs the same) –sameip; stateless (Not part of a flow) –stateless;

23 The complicated options distance Within isdataat byte_test byte_jump pcre distance Within isdataat byte_test byte_jump pcre

24 Distance content:”SITE”; content:”EXEC”; distance:0; SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. Distance content:”SITE”; content:”EXEC”; distance:0;

SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. Distance content:”SITE”; content:”EXEC”; distance:0;

SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. Distance content:”SITE”; content:”EXEC”; distance:0;

28 Within content:”SITE”; content:!”|0a|”; within:50; SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo.

SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. Within content:”SITE”; content:!”|0a|”; within:50;

SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. Within content:”SITE”; content:!”|0a|”; within:50;

SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo SITE EXEC ev 69 6C 66 6F 6F 0A ilfoo. Within content:”SITE”; content:!”|0a|”; within:50;

SITE Isdataat content:”SITE”; content:!”|0a|”; within:50;

SITE Isdataat content:”SITE”; content:!”|0a|”; within:50;

SITE Isdataat content:”SITE”; content:!”|0a|”; within:50; content:”SITE”; content:!”|0a|”; within:50;

SITE Isdataat content:”SITE”; isdataat:50,relative; content:!”|0a|”; within:50;

C B D 1 LSUB "" {1064} Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative;

C B D 1 LSUB "" {1064} Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative;

C B D 1 LSUB "" {1064} Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative;

C B D 1 LSUB "" {1064} Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative;

C B D 1 LSUB "" {1064} Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative;

C B D 1 LSUB "" {1064} Byte Test content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative;

F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA Byte Jump content:"| |"; offset:8; depth:4; content:"| F3|"; offset:16; depth:4; content:"| |"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative;

F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA Byte Jump content:"| |"; offset:8; depth:4; content:"| F3|"; offset:16; depth:4; content:"| |"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative;

F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA Byte Jump content:"| |"; offset:8; depth:4; content:"| F3|"; offset:16; depth:4; content:"| |"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative;

F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA Byte Jump content:"| |"; offset:8; depth:4; content:"| F3|"; offset:16; depth:4; content:"| |"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative;

F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA Byte Jump content:"| |"; offset:8; depth:4; content:"| F3|"; offset:16; depth:4; content:"| |"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative;

F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA Byte Jump content:"| |"; offset:8; depth:4; content:"| F3|"; offset:16; depth:4; content:"| |"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative;

F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA Byte Jump content:"| |"; offset:8; depth:4; content:"| F3|"; offset:16; depth:4; content:"| |"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative;

F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA F 9C D5 2B Q F E D1 6A C 6F ^.j....loca 6C 68 6F lhost F FF AAAAAAAAAAAAAAAA Byte Jump content:"| |"; offset:8; depth:4; content:"| F3|"; offset:16; depth:4; content:"| |"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative;

50 PCRE Perl Compatable Regular Expressions a few snort specific options when using, ALWAYS include a regular content NOT PART OF FAST PATTERN MATCHER! Read Mastering Regular Expressions Perl Compatable Regular Expressions a few snort specific options when using, ALWAYS include a regular content NOT PART OF FAST PATTERN MATCHER! Read Mastering Regular Expressions

51 PCRE Format pcre:[!]"(/ /|m )[i smxAEGRUB]"; Examples –pcre:"/blah.*blah/"; –pcre:"m?blah/.*blah?"; –pcre:"/blah.*blah/i"; –pcre:!"/blah/i"; –content:"foo"; pcre:!"/blah/R"; pcre:[!]"(/ /|m )[i smxAEGRUB]"; Examples –pcre:"/blah.*blah/"; –pcre:"m?blah/.*blah?"; –pcre:"/blah.*blah/i"; –pcre:!"/blah/i"; –content:"foo"; pcre:!"/blah/R";

52 PCRE basic options pcre:"/blah.*blah/OPTIONS_GO_HERE"; i –case insensitive s –include newlines in the dot metacharacter m –match on all line breaks x –ignore whitespace in rules pcre:"/blah.*blah/OPTIONS_GO_HERE"; i –case insensitive s –include newlines in the dot metacharacter m –match on all line breaks x –ignore whitespace in rules

53 PCRE options PCRE specific pcre:"/blah.*blah/OPTIONS_GO_HERE"; A –the pattern must match only at the start of the buffer (same as ^) E –$ only matches end of string G –Invert greedyness (match as little as possible) pcre:"/blah.*blah/OPTIONS_GO_HERE"; A –the pattern must match only at the start of the buffer (same as ^) E –$ only matches end of string G –Invert greedyness (match as little as possible)

54 PCRE options Snort specific pcre:"/blah.*blah/OPTIONS_GO_HERE"; R –Relative Match (same as distance:0;) U –URI match (same as uricontent) B –Do not use the decoded buffers (same as rawbytes) pcre:"/blah.*blah/OPTIONS_GO_HERE"; R –Relative Match (same as distance:0;) U –URI match (same as uricontent) B –Do not use the decoded buffers (same as rawbytes)

55 PCRE Regex metacharacters \ –Quote the next metacharacter ^ – Match the beginning of the line. –Match any character (except newline) $ –Match the end of the line (or before newline at the end) | –Alternation () –Grouping [] –Character class pcre:"/^(foo|bar)$/"; \ –Quote the next metacharacter ^ – Match the beginning of the line. –Match any character (except newline) $ –Match the end of the line (or before newline at the end) | –Alternation () –Grouping [] –Character class pcre:"/^(foo|bar)$/";

56 PCRE patterns \t –tab \n –newline (LN) \r –return (CR) \033 –octal char (think of a PDP-11) \x0a –hex char \t –tab \n –newline (LN) \r –return (CR) \033 –octal char (think of a PDP-11) \x0a –hex char

57 more PCRE patterns \x{263a} –wide hex char (Unicode SMILEY) \l –lowercase next char (think vi) \u –uppercase next char (think vi) \L –lowercase till \E (think vi) \U –uppercase till \E (think vi) \Q –quote (disable) pattern metacharacters till \E \E –end case modification (think vi) \x{263a} –wide hex char (Unicode SMILEY) \l –lowercase next char (think vi) \u –uppercase next char (think vi) \L –lowercase till \E (think vi) \U –uppercase till \E (think vi) \Q –quote (disable) pattern metacharacters till \E \E –end case modification (think vi)

58 Even more PCRE patterns \w –Match a "word" character (alphanumeric plus "_") \W –Match a non-"word" character \s –Match a whitespace character \S –Match a non-whitespace character \d –Match a digit character \D –Match a non-digit character Example –"/\w\s\w/“ –Matches: "FOO BAR“ –Doesn't Match: "FOO "; \w –Match a "word" character (alphanumeric plus "_") \W –Match a non-"word" character \s –Match a whitespace character \S –Match a non-whitespace character \d –Match a digit character \D –Match a non-digit character Example –"/\w\s\w/“ –Matches: "FOO BAR“ –Doesn't Match: "FOO ";

59 PCRE Quantifiers * –Match 0 or more times + –Match 1 or more times ? –Match 1 or 0 times {n} –Match exactly n times {n,} –Match at least n times {n,m} –Match at least n but not more than m times Example pcre:"/\w{3,5}}/"; * –Match 0 or more times + –Match 1 or more times ? –Match 1 or 0 times {n} –Match exactly n times {n,} –Match at least n times {n,m} –Match at least n but not more than m times Example pcre:"/\w{3,5}}/";

60 PCRE Example CVE: CVE Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE Example /rcpt to: | /bin/id/ OR /rcpt to: ; /bin/id/ /rcpt to: [;|] /bin/id/ /rcpt to:\s*[;|]/ /^rcpt to\x3b\s*[\x3b|]/ /^rcpt to\x3b\s*[\x3b|]/i /^rcpt to\x3b\s*[\x3b|]/mi CVE: CVE Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE Example /rcpt to: | /bin/id/ OR /rcpt to: ; /bin/id/ /rcpt to: [;|] /bin/id/ /rcpt to:\s*[;|]/ /^rcpt to\x3b\s*[\x3b|]/ /^rcpt to\x3b\s*[\x3b|]/i /^rcpt to\x3b\s*[\x3b|]/mi

61 PCRE Example (regex) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: | \/bin\/id/ OR /rcpt to: ; \/bin\/id/ Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: | \/bin\/id/ OR /rcpt to: ; \/bin\/id/

62 PCRE Example (character classes) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: [;|] \/bin\/id/ Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: [;|] \/bin\/id/

63 PCRE Example (remove command) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: [;|]/ Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to: [;|]/

64 PCRE Example (remove : and ;) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to\x3a [\x3b|]/ Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to\x3a [\x3b|]/

65 PCRE Example (remove evasion) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to\x3a\s*[\x3b|]/i Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /rcpt to\x3a\s*[\x3b|]/i

66 PCRE Example (remove false positives) Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /^rcpt to\x3a\s*[\x3b|]/mi Attack rcpt to: | /bin/id OR rcpt to: ; /bin/id PCRE /^rcpt to\x3a\s*[\x3b|]/mi

67 PCRE completed example alert tcp any any -> any 25 (flow:to_server,established; content:"rcpt to\:"; nocase; pcre:"/^rcpt\s+to\x3a\s*[|\x3b]/mi";)

68 The required bits rule header - action ip port direction ip port Msg content (if you can) Classtype Sid Rev flow/stateless (for TCP rules) rule header - action ip port direction ip port Msg content (if you can) Classtype Sid Rev flow/stateless (for TCP rules)

69 A few notes when multiple rules match at a time, longest content "wins“ long contents are good multiple contents are ok, split up instead of being evaded pcre without content is bad include many references test test test test test use variables, they are there for a reason when multiple rules match at a time, longest content "wins“ long contents are good multiple contents are ok, split up instead of being evaded pcre without content is bad include many references test test test test test use variables, they are there for a reason

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.