Questions about signature regexes

Hi,

a few quick questions about the regular expressions used in rule content
conditions.

- Are they PCREs? I see a lot of "# Not supported: pcre" in
scripts/23b/example_bro_files/signatures.sig and wanted to make sure.

- When I want a pattern to match at the beginning of the payload, I
presume I have to say "payload /^", right?

- Can I match on fixed TCP stream content of a given length by giving
the whole string surrounded by ^ and $, i.e., this:

  payload /^foo$/

Thanks!

Cheers,
Christian.

- Are they PCREs? I see a lot of "# Not supported: pcre" in

They are regexps but not PCREs; they use Bro's syntax which is
slightly different.

(That reminds me that I've a prototypical pcre->bro converter lying
around somewhere. But actually there doesn't seem to be much
interest in automatically converting Snort sigs these days.)

- When I want a pattern to match at the beginning of the payload, I
presume I have to say "payload /^", right?

Right. Alternatively you can just leave the "^" out as the regexps
are implictly anchored at the first byte. To match at arbitrary
positions, a wildcard is required, e.g., "/.*foo/.

- Can I match on fixed TCP stream content of a given length by giving
the whole string surrounded by ^ and $, i.e., this:

Yes.

Robin

Hi Robin :

(That reminds me that I've a prototypical pcre->bro converter lying
around somewhere. But actually there doesn't seem to be much
interest in automatically converting Snort sigs these days.)

We have been using snort2bro script, but it has quite a few limitations. A better, more comprehensive automatic conversion tool would definitely be something I would be interested in to use with our bro installation.

Just thought I should put it on the table.

Thanks
Aashish Sharma

Although we're likely to significantly re-architect our IDS infrastructure soon, we would be happy with a more comprehensive and modern snort2bro functional equivalent. Being stuck with the Snort v2.2 ruleset is one of the downsides that would be nice to fix.

If we end up modifying snort2bro or writing our own (unlikely), I'll advocate that we contribute it to the Bro project.

Graham Freeman
Datacenter Security Administrator
IET - Datacenter & Client Services
University of California at Davis
gfreeman@ucdavis.edu
GPG Key 0xFEE4DF44

Let's do another poll: are there more readers of this list who'd be
interested in an updated Snort2Bro which can work with current Snort
signatures?

In case there is demand, is there perhaps even somebody who'd be
able to contribute some time to developing an updated converter?
While I'll probably won't be able to work much on this myself, I
could contribute the pieces which I have as well as, e.g., extend
Bro's signature engine somewhat if this turn out to be neccessary.

Robin