pscre function missing from ouput sensor rules

Brought to you by: jaalex

#3 pscre function missing from ouput sensor rules

Status: open-fixed

Owner: Jason Alexander

Labels: None

Priority: 1

Updated: 2004-03-08

Created: 2004-03-05

Creator: Brian Jameson

Private: No

Rules containing the pcre 'function' are missing that part
when output for a sensor. eg sid: 2267 should look like:-
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25
( sid: 2267; rev: 1; msg: "SMTP MAIL FROM sendmail
prescan too many addresses overflow"; flow:
to_server,established; content: "MAIL FROM\:"; nocase;
pcre: "/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<
[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<
[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<
[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<
[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<
[^\n]*?<[^\n]*?<[^\n; reference: bugtraq,6991;
reference: cve,CAN-2002-1337; classtype: attempted-
admin;)

but actually looks like:-
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25
( sid: 2267; rev: 1; msg: "SMTP MAIL FROM sendmail
prescan too many addresses overflow"; flow:
to_server,established; content: "MAIL FROM\:"; nocase;
reference: bugtraq,6991; reference: cve,CAN-2002-
1337; classtype: attempted-admin;)

should be about 105 rules that have pcre in them but my
output only contains 1.

Discussion

Jason Alexander - 2004-03-05

assigned_to: nobody --> jaalex
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jason Alexander - 2004-03-05

Logged In: YES
user_id=984574

I'll look at the code this weekend. I might have committed
the wrong version. I was working personally on subversion
and then converted back to CVS for sourcforge. I was
reasonably sure I check this and it was working.

Jason

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jason Alexander - 2004-03-06

status: open --> pending
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jason Alexander - 2004-03-06

Logged In: YES
user_id=984574

I just updated sensor.inc.php and database.php in the CVS. Grab those files
and see if it works for you now. It looks like the rules are coming out
correctly here. If your still having problems let me know

Jason

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jason Alexander - 2004-03-06

status: pending --> open
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Brian Jameson - 2004-03-07

Logged In: YES
user_id=991123

Jason, The revised files have sorted out the problem. Thank
you. I did notice one odd thing in getting my system back in
line once I had revised that data base to the new format
(pscre text instead of Varchar). The pcre items that had
overflowed had to have the whole rule deleted via sql in order
to get the data to update correctly with a rule update from
the Internet. I wondered if this was another bit of code I was
missing?

Great to have a viable snortcenter system again! Keep up the
good work.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jason Alexander - 2004-03-07

Logged In: YES
user_id=984574

Ummm, No it probably means I missed an update statement.
There are several different ways that rules can get written
into the database.

I'll take a look at see if I can see why that might be
happening. It might have to do with the reformatting of the
database.

Jason

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jason Alexander - 2004-03-08

priority: 5 --> 1

status: open --> open-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.