[Snort-devel] full-regex pattern match

Meneghetti Giovanni gmeneghetti at ...414...
Wed May 9 03:51:59 EDT 2001


Hi,
I've extended snort for using it with regular expressions.
Now we could write rules like ".nsf/[^[:alpha:]]" to search
for non alpha char after the pattern ".nsf/".
I think this extensions could help in many rules, to reduce false alerts

or to write more complex signatures.
A regex rule is identified by the "full-regex" key.
As a simple example, the  following line could be a rule matching
"abz", "acz", "adz" ...and not matching "a1z", "a.z", ...:

alert tcp any any -> any any (msg:"Test Regex 2";flags: A+;
content:"a[b-y]z"; reference:arachnids,373;)

The "full-regex" key does a "idx->search = mSearchFRE" in
sp_pattern_match.c, where mSearchFRE is a new search function.
This means performances are safe. Regular searches are performed in the
same old way, but regex functions are performed using
a (slower) regex pattern matching.
Regex lib I used comes from an OpenSource package written by Henry
Spencer.

BTW, the code is still *untested* and beta.

Now the question is: How do I submit patches ?

Bye
Giovanni Meneghetti






More information about the Snort-devel mailing list