I want to generate an event in snort whenever someone visits a URL structured like
site/year2015.pdf
site/year2014.pdf
:
:
site/year2000.pdf
Instead of writing multiple snort rules as more URLs will be added over years I thought of utilizing PERC. The rule is written as.
alert tcp any any -> any any(msg:"PDF is being downloaded"; pcre:"(/.*site\/year\d\d\d\d\.pdf)/i"; sid: 100003; rev:3;)
I tried many different ways of inserting the regex in the rule above but it always fails to parse it. The Regex is doing fine what I want it to do here. The whole thing starts to fail because it does not start cause of rule not being parsed.
Error received is
Error: /etc/snort/rules/assignment.rules Line 3 => unable to parse pcre regex "(/.*site\/year\d\d\d\d\.pdf)/i"
Fatal Error Quitting..
The (slightly crazy) syntax is pcre:"/regex/flags"
. The parentheses you wanted to put in there are superfluous anyway. You also need to escape any slash which is part of the actual regex, like in the example.
alert tcp any any -> any any(msg:"PDF is being downloaded"; pcre:"/.*site\/year\d\d\d\d.pdf/i"; sid: 100003; rev:3;)
... though probably you should remove the superfluous wildcard .*
and add an anchor $
at the end, and also escape the dot to make it literal. You might also want to use a quantifier to specify exactly four repetitions of a digit.
alert tcp any any -> any any(msg:"PDF is being downloaded"; pcre:"/site\/year\d{4}\.pdf$/i"; sid: 100003; rev:3;)
Are you really sure you want the /i
flag to make the match case-insensitive?