Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Deciphering Sig RegEx

I need some remedial help on the use of regular expressions in built-in sigs.

In particular, I am referring to the expressions used in Sig 3115 (Sendmail Header Overflow). I am seeing many false positives and I am trying to figure out just what the signature is looking for.

These are the expressions:

(\x3c>){20}

\x26lt;>\x26lt;>\x26lt;>...

Can you help?

Thanks,

Don

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Deciphering Sig RegEx

From your expressions above, I presume that you're using 4.x sensors and looking for subsignature 3 of signature 3115. This signature is looking for the following:

(<>){20}

This is basically "<><><>..." repeated 20 or more times. "(\x3c>){20}" is the same thing as above. \x3c is the same as "<". We had to do this because of a regex quirk. The "\x26lt;>\x26lt;>\x26lt;>..." should look like "<><><>...". This is a victim of our XML data file which can't handle certain characters properly. This is a display bug. I'll look into getting this fixed.

In regards to the false positives, if you can capture some iplogs and send them to mcerha@cisco.com, I will look into the cause. I'd have to see the traffic to tell what exactly is going on.

1 REPLY
Bronze

Re: Deciphering Sig RegEx

From your expressions above, I presume that you're using 4.x sensors and looking for subsignature 3 of signature 3115. This signature is looking for the following:

(<>){20}

This is basically "<><><>..." repeated 20 or more times. "(\x3c>){20}" is the same thing as above. \x3c is the same as "<". We had to do this because of a regex quirk. The "\x26lt;>\x26lt;>\x26lt;>..." should look like "<><><>...". This is a victim of our XML data file which can't handle certain characters properly. This is a display bug. I'll look into getting this fixed.

In regards to the false positives, if you can capture some iplogs and send them to mcerha@cisco.com, I will look into the cause. I'd have to see the traffic to tell what exactly is going on.

81
Views
0
Helpful
1
Replies