Solved: Deciphering Sig RegEx

dblairii · ‎01-22-2004

I need some remedial help on the use of regular expressions in built-in sigs.

In particular, I am referring to the expressions used in Sig 3115 (Sendmail Header Overflow). I am seeing many false positives and I am trying to figure out just what the signature is looking for.

These are the expressions:

(\x3c>){20}

\x26lt;>\x26lt;>\x26lt;>...

Can you help?

Thanks,

Don

mcerha · ‎01-22-2004

From your expressions above, I presume that you're using 4.x sensors and looking for subsignature 3 of signature 3115. This signature is looking for the following:

(<>){20}

This is basically "<><><>..." repeated 20 or more times. "(\x3c>){20}" is the same thing as above. \x3c is the same as "<". We had to do this because of a regex quirk. The "\x26lt;>\x26lt;>\x26lt;>..." should look like "<><><>...". This is a victim of our XML data file which can't handle certain characters properly. This is a display bug. I'll look into getting this fixed.

In regards to the false positives, if you can capture some iplogs and send them to mcerha@cisco.com, I will look into the cause. I'd have to see the traffic to tell what exactly is going on.

View solution in original post

mcerha · ‎01-22-2004

From your expressions above, I presume that you're using 4.x sensors and looking for subsignature 3 of signature 3115. This signature is looking for the following:

(<>){20}

This is basically "<><><>..." repeated 20 or more times. "(\x3c>){20}" is the same thing as above. \x3c is the same as "<". We had to do this because of a regex quirk. The "\x26lt;>\x26lt;>\x26lt;>..." should look like "<><><>...". This is a victim of our XML data file which can't handle certain characters properly. This is a display bug. I'll look into getting this fixed.

In regards to the false positives, if you can capture some iplogs and send them to mcerha@cisco.com, I will look into the cause. I'd have to see the traffic to tell what exactly is going on.