I am trying to incorporate the following Regex to a snort rule to detect base64 in outbound ICMP traffic: ^-A-Za-z0-9+/=]|=[^=]|={3,}$
I did not write this expression myself, however I tested it and it seems to work in http://regexe.com/ just fine.
The snort rule: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:“Base64 detected in outbound ICMP traffic (possible ICMP tunnelling!)";pcre"^-A-Za-z0-9+/=]|=[^=]|={3,}$";)
I understand snort uses Perl Compatible Regex which might explain the discrepancy, however I am not skilled enough to find out what needs to be changed to fix this. I get the following error when I add this rule to the /etc/snort/rules/local.rules file: ERROR: /etc/snort/rules/local.rules Line 8 => unable to parse pcre regex "^-A-Za-z0-9+/=]|=[^=]|={3,}$"
Anyone able to assist?
Regards,
i believe your missing the beginning and ending \ to declare pcre in a snort signature so it should look like