Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
517
Views
10
Helpful
2
Replies

Question about STRING.TCP pattern matching

t.santaguida
Level 1
Level 1

‎04-08-2005 07:46 AM - edited ‎03-10-2019 01:22 AM

Hi all,

i have a problem related within STRING.TCP engine pattern matching.

Within TCPDUMP i see that there is an offset of 43 bytes between two fixed hexadecimal values.

I tried to set the RegexString value to "\x26.{43}\x0F" in my custom sig, and i figure out that the it will fires when match \x26, 43 times any values and then \x0f... but it doesn't works!

The question is... how cisco NIDS counts 43 bytes? Is it possible that some de-obfuscation feature or something like this transforms the stream payload before analisys changing the number of bytes?

Another question. I would like to match this string only on the first X tcp packets within a given session. Could the "EndMatchOffset" parameters help me with this?

Thanks in advance for any response.

Bye

Labels:
0 Helpful
2 Replies 2

craiwill
Cisco Employee
Cisco Employee

‎04-08-2005 10:07 AM

The best way to write this signature uses MinMatch length and MaxInspect length. MinMatch length is the minimum number of bytes required between the byte before the wildcard to the end of the pattern. MaxInspect length is the maximum depth to look in the stream for the match. Also, remember that “.” is equivalent to [^\n], if you really want to match on anything then you must use [\x00-\xff]. To write the an efficient signature it is important to remember that anytime your repeating large char class (for example [^\n] or \x00-\xff] for more than a few adjacent bytes you need to use a wildcard with match lengths. If you do not have a MaxInspect length then this can create the opportunity for false positives but in this situation it will work perfectly.

You want something like:

\x26[\x00-\xff]+\x0F

MinMatch = 45

MaxInspect = 45 (or X+45 if this is not at the beginning of the stream)

You may still run into fidelity problems with this signature depending on how far in you set your max inspect length since you’re only looking for two specific bytes. If you can add anything else to the regex it would be a very good idea.

Hope this helps,

Craig

t.santaguida
Level 1
Level 1
In response to craiwill

‎04-12-2005 11:49 PM

Craig, it works!

Thanks for your suggest.

Bye

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card