[Oisf-users] Suricata PCRE Unicode/UTF-8 Matching
Travis Green
travis at travisgreen.net
Tue Jan 22 19:07:15 UTC 2019
Carl, I found this to work for me using Suricata 4.1 and vanilla flavored
PCRE 8.38-3.1:
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Test UTF-8";
flow:established,to_server; pcre:"/\xe6\x8a\x95/"; classtype:unknown;
sid:1003818; rev:1;)
# 01/22/2019-10:59:03.408638 [**] [1:1003818:1] Test UTF-8 [**]
[Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.1.22:49528 ->
128.123.123.203:8888
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Test UTF-8";
flow:established,to_server; content:"|e6 8a 95|"; classtype:unknown;
sid:1003819; rev:1;)
# 01/22/2019-10:59:04.993260 [**] [1:1003819:1] Test UTF-8 [**]
[Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.1.22:49528 ->
128.123.123.203:8888
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Test UTF-16";
flow:established,to_server; pcre:"/投/"; classtype:unknown; sid:1003821;
rev:1;)
# 01/22/2019-10:59:03.935684 [**] [1:1003821:1] Test UTF-16 [**]
[Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.1.22:49528 ->
128.123.123.203:8888
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Test UTF-16";
flow:established,to_server; content:"投"; classtype:unknown; sid:1003822;
rev:1;)
# 01/22/2019-10:59:03.408638 [**] [1:1003822:1] Test UTF-16 [**]
[Classification: Unknown Traffic] [Priority: 3] {TCP} 192.168.1.22:49528 ->
128.123.123.203:8888
Hope that helps,
-Travis
On Tue, Jan 22, 2019 at 9:37 AM carl rizzle <rizzlecarl at gmail.com> wrote:
> I am currently running Suricata-4.0.0 with pcre version 8.42.
>
> I compiled pcre version 8.42 as follows:
>
> ./configure --prefix=/usr \
>
> --docdir=/usr/share/doc/pcre-8.42 \
>
> --enable-unicode-properties \
>
> --enable-pcre16 \
>
> --enable-pcre32 \
>
> --enable-pcregrep-libz \
>
> --enable-pcregrep-libbz2 \
>
> --disable-static \
>
> --enable-pcretest-libreadline \
>
> --enable-utf8
>
>
> ...and ran make
>
>
> Suricata was compiled as follows:
>
>
> ./configure with_libpcre_includes=/root/suricata-4.0.0/pcre-8.42/
> with_libpcre_libraries=/root/suricata-4.0.0/pcre-8.42/.libs/
>
>
> ...and ran make && make install
>
>
> My goal is to make a rule that matches on the Chinese character: 投
>
> I created a rule that matches on utf-8 characters (i.e.
> pcre:"/\xe6\x8a\95/") as well as utf-16
>
> (i.e. pcre:"/\X{6295}/"). Suricata accepted both rules but none of them
> matched the character
>
> that I know is in my sample data. Any Idea if my PCRE expression is
> incorrect or if I configured Suricata
>
> incorrectly? Are there other encoding formats that I am missing?
>
>
> Thanks
>
>
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
--
PGP: ABE625E6
keybase.io/travisbgreen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190122/05a42936/attachment.html>
More information about the Oisf-users
mailing list