https://community.cisco.com/t5/network-security/question-about-string-tcp-pattern-matching/m-p/321888#M99495 <P>Hi all,</P><P>i have a problem related within STRING.TCP engine pattern matching.</P><P></P><P>Within TCPDUMP i see that there is an offset of 43 bytes between two fixed hexadecimal values.</P><P></P><P>I tried to set the RegexString value to "\x26.{43}\x0F" in my custom sig, and i figure out that the it will fires when match \x26, 43 times any values and then \x0f... but it doesn't works!</P><P></P><P>The question is... how cisco NIDS counts 43 bytes? Is it possible that some de-obfuscation feature or something like this transforms the stream payload before analisys changing the number of bytes?</P><P></P><P>Another question. I would like to match this string only on the first X tcp packets within a given session. Could the "EndMatchOffset" parameters help me with this?</P><P></P><P>Thanks in advance for any response.</P><P>Bye</P><P></P><P></P><P></P><P></P> Sun, 10 Mar 2019 09:22:51 GMT t.santaguida 2019-03-10T09:22:51Z https://community.cisco.com/t5/network-security/question-about-string-tcp-pattern-matching/m-p/321888#M99495 <P>Hi all,</P><P>i have a problem related within STRING.TCP engine pattern matching.</P><P></P><P>Within TCPDUMP i see that there is an offset of 43 bytes between two fixed hexadecimal values.</P><P></P><P>I tried to set the RegexString value to "\x26.{43}\x0F" in my custom sig, and i figure out that the it will fires when match \x26, 43 times any values and then \x0f... but it doesn't works!</P><P></P><P>The question is... how cisco NIDS counts 43 bytes? Is it possible that some de-obfuscation feature or something like this transforms the stream payload before analisys changing the number of bytes?</P><P></P><P>Another question. I would like to match this string only on the first X tcp packets within a given session. Could the "EndMatchOffset" parameters help me with this?</P><P></P><P>Thanks in advance for any response.</P><P>Bye</P><P></P><P></P><P></P><P></P> Sun, 10 Mar 2019 09:22:51 GMT https://community.cisco.com/t5/network-security/question-about-string-tcp-pattern-matching/m-p/321888#M99495 t.santaguida 2019-03-10T09:22:51Z https://community.cisco.com/t5/network-security/question-about-string-tcp-pattern-matching/m-p/321889#M99496 <HTML><HEAD></HEAD><BODY><P>The best way to write this signature uses MinMatch length and MaxInspect length. MinMatch length is the minimum number of bytes required between the byte before the wildcard to the end of the pattern. MaxInspect length is the maximum depth to look in the stream for the match. Also, remember that &#147;.&#148; is equivalent to [^\n], if you really want to match on anything then you must use [\x00-\xff]. To write the an efficient signature it is important to remember that anytime your repeating large char class (for example [^\n] or \x00-\xff] for more than a few adjacent bytes you need to use a wildcard with match lengths. If you do not have a MaxInspect length then this can create the opportunity for false positives but in this situation it will work perfectly.</P><P></P><P>You want something like:</P><P></P><P>\x26[\x00-\xff]+\x0F</P><P></P><P>MinMatch = 45</P><P>MaxInspect = 45 (or X+45 if this is not at the beginning of the stream)</P><P></P><P></P><P>You may still run into fidelity problems with this signature depending on how far in you set your max inspect length since you&#146;re only looking for two specific bytes. If you can add anything else to the regex it would be a very good idea.</P><P></P><P></P><P>Hope this helps,</P><P>Craig</P><P></P></BODY></HTML> Fri, 08 Apr 2005 17:07:17 GMT https://community.cisco.com/t5/network-security/question-about-string-tcp-pattern-matching/m-p/321889#M99496 craiwill 2005-04-08T17:07:17Z https://community.cisco.com/t5/network-security/question-about-string-tcp-pattern-matching/m-p/321890#M99497 <HTML><HEAD></HEAD><BODY><P>Craig, it works!</P><P>Thanks for your suggest.</P><P>Bye</P></BODY></HTML> Wed, 13 Apr 2005 06:49:16 GMT https://community.cisco.com/t5/network-security/question-about-string-tcp-pattern-matching/m-p/321890#M99497 t.santaguida 2005-04-13T06:49:16Z