[Snort-devel] PCRE and the Snort-specific modifiers

Joshua.Kinard at ...3108... Joshua.Kinard at ...3108...
Fri Aug 13 20:05:34 EDT 2010


Hi all,

I've got a couple of questions regarding the 'pcre' rule option and its
modifier stack.  With a 'content' rule option, we cannot mix options
like 'http_header' and 'http_raw_header', otherwise, Snort throws an
error.  Does the same apply to using the various Snort-specific URI
modifiers in 'pcre'?

I.e., should using 'U' (like http_uri) forbid 'I' (like http_raw_uri)?
Ditto for 'H' & 'D', and 'C' & 'K'.

How about using the 'B' (like rawbytes) modifier?  Again with 'content',
we cannot use 'rawbytes' and any http_* modifier.  Should the use of 'B'
forbid the use of 'U', 'I', 'P', 'H', 'D', 'M' , 'C', 'K', 'S', & 'Y'?
Currently, Snort doesn't enforce any parser check against a rule using
such a combination.  I've only been testing the parser (and looking at
the code for the parser for some of these options), so I haven't tried
validating this against any actual traffic as of yet.

And how is the 'O' modifier used?  Its description in the manual simply
states that it overrides pcre_match_limit....but with what?  Does it
simply instruct Snort to just ignore the aforementioned limit, or does
this modifier take an argument somehow?  I haven't studied the source
well enough to figure out what this specific modifier is doing.

Also, the manual needs to mention the exclusivity of the 'R' (relative)
and URI modifiers.  An error condition is thrown when the parser detects
them used together, but I see no mention in the manual of this check.
The manual does, however, mention not to use 'R' and 'B' together
(why?), but the parser does not actually enforce this (which is
inconsistent).

Thanks!,

--J




More information about the Snort-devel mailing list