[Snort-devel] full-regex pattern match
gmeneghetti at ...414...
Wed May 9 03:51:59 EDT 2001
I've extended snort for using it with regular expressions.
Now we could write rules like ".nsf/[^[:alpha:]]" to search
for non alpha char after the pattern ".nsf/".
I think this extensions could help in many rules, to reduce false alerts
or to write more complex signatures.
A regex rule is identified by the "full-regex" key.
As a simple example, the following line could be a rule matching
"abz", "acz", "adz" ...and not matching "a1z", "a.z", ...:
alert tcp any any -> any any (msg:"Test Regex 2";flags: A+;
The "full-regex" key does a "idx->search = mSearchFRE" in
sp_pattern_match.c, where mSearchFRE is a new search function.
This means performances are safe. Regular searches are performed in the
same old way, but regex functions are performed using
a (slower) regex pattern matching.
Regex lib I used comes from an OpenSource package written by Henry
BTW, the code is still *untested* and beta.
Now the question is: How do I submit patches ?
More information about the Snort-devel