Project

General

Profile

Actions

Bug #155

closed

Anchored pcre doesn't appear to work with /U modifer.

Added by Will Metcalf about 14 years ago. Updated almost 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

sid 2010504 should fire here. simply removing the '$' anchor from the pcre will cause the sig to match, the flowbit will be set and thus the second sig will fire. The anchored pcre is valid for this pcap, this should fire in suricata but doesn't. These rules fire fine in snort. I should also note that I tested anchors with normal pcre and it appears to work fine.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .txt file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".txt"; nocase; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010500; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Potential Palevo executable download, executable purporting to be different file"; flowbits:isset,ET.hidden.exe; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; content:"This program"; within:120; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Mariposa; sid:2010504; rev:2;)


Files

2010504badmz.pcap (95.3 KB) 2010504badmz.pcap sandnet traffic sid 2010504 Will Metcalf, 05/11/2010 08:15 PM
0001-add-pcre-with-U-modifiers-to-the-umatch-sigmatch-lis.patch (14.8 KB) 0001-add-pcre-with-U-modifiers-to-the-umatch-sigmatch-lis.patch Anoop Saldanha, 06/23/2010 10:46 AM
Actions #1

Updated by Victor Julien almost 14 years ago

  • Target version changed from 0.9.1 to 0.9.2
Actions #2

Updated by Victor Julien almost 14 years ago

  • Due date changed from 05/14/2010 to 06/21/2010
  • Assignee changed from OISF Dev to Anoop Saldanha
  • Target version changed from 0.9.2 to 0.9.3
Actions #3

Updated by Victor Julien almost 14 years ago

  • Due date changed from 06/21/2010 to 06/25/2010
  • Assignee changed from Anoop Saldanha to Pablo Rincon
  • Target version changed from 0.9.3 to 1.0.0

Assigned to Pablo as part of a bigger task. Anoop if you already have done work on this, please send what you have to Pablo. Thanks!

Actions #4

Updated by Anoop Saldanha almost 14 years ago

@Pablo

Attached the work done so far. The patch adds /U pcres to umatch list instead of pmatch. Have made some changes to detect-engine-uri.c as well to support the addition of pcre to umatch inspection.

Actions #5

Updated by Victor Julien almost 14 years ago

Please also make sure the follow signature matches, as it's reported to fail to match currently:

Our suricata setup is totally missing some emerging-virus.rules (not
even a mention in logs) like:

emerging-virus.rules:drop tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"ET TROJAN Downadup/Conficker A or B Worm reporting";
flow:to_server,established; uricontent:"/search?q=";
pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U";
pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/";
classtype:trojan-activity;
reference:url,www.f-secure.com/weblog/archives/00001584.html;
reference:url,doc.emergingthreats.net/bin/view/Main/2009024;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker;
sid:2009024; rev:9;)

Actions #6

Updated by Victor Julien almost 14 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Patches applied, thanks Anoop & Pablo.

Actions

Also available in: Atom PDF