[Snort-devel] snort and PCRE - sp_pcre

Matthew Callaway matt-snort at ...806...
Tue Jun 3 06:27:43 EDT 2003


Forward on behalf of a coworker who is not subscribed to this list.

Matt

---------- Forwarded message ----------
Date: Tue, 3 Jun 2003 01:16:29 -0500 (CDT)
From: "Michael J. Pomraning" <mjp (at) securepipe (dot) com>
To: snort-devel at lists.sourceforge.net
Subject: snort and PCRE - (yet another?) sp_pcre

In addition to Brian Caswell's snort_pcre.diff (available as a snort.org
contrib), I've got a similar GPL'd sp_pcre detection plugin, developed
independently, available at

  http://pilcrow.madison.wi.us/sw/sp_pcre-20030602.tar.gz

README file has examples and installation.

I've not played with Brian's patch, but it looks like both permit multiple
"pcre" keywords for (studied) perl-style regexes -- e.g., foo(?!bar) matches
any foo not followed by bar.  Principle differences seem to be:

. quoting and PCRE flagging
  Brian's has quotes and whackety-whacks (\\), and symbolic compilation
  options.  Mine's got m// (or m^^ or plain //, with or without tilde)
  notation, and PCRE (?blah) flags.

    # Some say this or that:
    Brian's....content: "Some say"; pcre: "\\b(this|that)\\b",nocase;
    mine.......content: "Some say"; pcre: /(?i)\b(this|that)\b/
                       # or pcre: m%(?i)\b(this|that)\b%
                       # or pcre: ~ /(?i)\b(this|that)\b/
                       # etc.

  You can guess which I find more palatable for perl-style regexes. ;-)

. RE inversion
  In my sp_pcre, ! or !~ inverts the sense of a match:

    # Some say this or that, but not more:
    content: "Some say"; pcre: /(?i)\b(this|that)\b/;
                         pcre: !~ /\bmore\b/;

  I don't see an analog in Brian's.

. relative patternspace
  Brian's optionally plays nicely with relative matching, that is, relative to
  the next and previous match -- good feature.  Mine applies to the whole
  payload.

I'd love for mine to make the contrib dir, too, or at least to give away its
better features (quoting and inversion).  At any rate, if this many people
desire it enough to write a plugin, PCRE support must be a good idea.  :-)

Regards,
Mike
-- 
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security




More information about the Snort-devel mailing list