[Snort-devel] snort and PCRE - (yet another?) sp_pcre

Michael J. Pomraning mjp at ...806...
Wed Jun 4 06:27:26 EDT 2003

In addition to Brian Caswell's snort_pcre.diff (available as a snort.org
contrib), I've got a similar GPL'd sp_pcre detection plugin, developed
independently, available at


README file has examples and installation.

I've not played with Brian's patch, but it looks like both permit multiple
"pcre" keywords for (studied) perl-style regexes -- e.g., foo(?!bar) matches
any foo not followed by bar.  Principle differences seem to be:

. quoting and PCRE flagging
  Brian's has quotes and whackety-whacks (\\), and symbolic compilation
  options.  Mine's got m// (or m^^ or plain //, with or without tilde)
  notation, and PCRE (?blah) flags.

    # Some say this or that:
    Brian's....content: "Some say"; pcre: "\\b(this|that)\\b",nocase;
    mine.......content: "Some say"; pcre: /(?i)\b(this|that)\b/
                       # or pcre: m%(?i)\b(this|that)\b%
                       # or pcre: ~ /(?i)\b(this|that)\b/
                       # etc.

  You can guess which I find more palatable for perl-style regexes. ;-)

. RE inversion
  In my sp_pcre, ! or !~ inverts the sense of a match:

    # Some say this or that, but not more:
    content: "Some say"; pcre: /(?i)\b(this|that)\b/;
                         pcre: !~ /\bmore\b/;

  I don't see an analog in Brian's.

. relative patternspace
  Brian's optionally plays nicely with relative matching, that is, relative to
  the next and previous match -- good feature.  Mine applies to the whole

I'd love for mine to make the contrib dir, too, or at least to give away its
better features (quoting and inversion).  At any rate, if this many people
desire it enough to write a plugin, PCRE support must be a good idea.  :-)

Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security

More information about the Snort-devel mailing list