Cisco "String Signature" oddity...

From: Mark Amos (mark.amos@toast.net)
Date: 11/29/01

• Previous message: Scot Loach: "RE: did you witness overlapping packets in the wild ?"
• Next in thread: Seamus Hartmann: "RE: Cisco "String Signature" oddity..."
• Reply: Seamus Hartmann: "RE: Cisco "String Signature" oddity..."
• Reply: Christian Williams: "RE: Cisco "String Signature" oddity..."
• Reply: Mark Thyer: "RE: Cisco "String Signature" oddity..."
• Reply: Scott Cothrell: "RE: Cisco "String Signature" oddity..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

To: focus-ids@securityfocus.com
From: "Mark Amos" <mark.amos@toast.net>
Subject: Cisco "String Signature" oddity...
Message-Id: <291101333.48295@webbox.com>
Date: Thu, 29 Nov 2001 13:24:56 -0800

I've been trying to set up a "String Signature" but can't get
it to fire, for some reason. The Cisco documentation says that
the string matching is done with regular expressions, but there
doesn't appear to be a document describing what the regular expression
syntax is for the product (CSPM)

I'm trying to detect the string ".pif" on port 80 as a test.
Here are the "regular expressions" I've tried, with no success...

.*\.pif$
\.pif$
[.]pif

(I found some documentary evidence that the [] act as an escape
for special characters in their regular expression syntax.)

Anyone have any advice (or a link to somewhere that defines Cisco's
IDS regular expression syntax. I couldn't find it on their web
site.)

I'm using CSPM 2.3.3 talking to a 4210 probe running 2.5(0)S0

Thanks in advance,

Mark

---

• Previous message: Scot Loach: "RE: did you witness overlapping packets in the wild ?"
• Next in thread: Seamus Hartmann: "RE: Cisco "String Signature" oddity..."
• Reply: Seamus Hartmann: "RE: Cisco "String Signature" oddity..."
• Reply: Christian Williams: "RE: Cisco "String Signature" oddity..."
• Reply: Mark Thyer: "RE: Cisco "String Signature" oddity..."
• Reply: Scott Cothrell: "RE: Cisco "String Signature" oddity..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: how to use regex library ... Do I have to call regfreeevery time I use a regular expression, ... If I never call regfree(), do I have a memory leak? ... What's the difference between regcomp() and regexec? ... the documentation, or ever reads documentation, ... (comp.lang.c) Re: how to use regex library ... Do I have to call regfreeevery time I use a regular expression, ... the documentation, or ever reads documentation, ... target string and length of matched string. ... (There can be up to NSUBEXP that the library will handle, ... (comp.lang.c) Type object returned by the re.compile function ... According to the documentation, re.compile returns a "regular expression object". ... Traceback: ... AttributeError: 'module' object has no attribute 'RegexObject' ... (comp.lang.python) RE: Cisco "String Signature" oddity... ... Subject: Cisco "String Signature" oddity... ... > doesn't appear to be a document describing what the regular expression ... > IDS regular expression syntax. ... (Focus-IDS) regular expression behaviour ... theoretically the regular expression matches the string, ... The documentation says that the * ... (comp.unix.programmer)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2001-11