[Snort-devel] PCRE and the Snort-specific modifiers
mwatchinski at ...402...
Sat Aug 14 13:36:32 EDT 2010
Opened a bug to evaluate.
Sent from my iPhone
On Aug 13, 2010, at 8:05 PM, Joshua.Kinard at ...3108... wrote:
> Hi all,
> I've got a couple of questions regarding the 'pcre' rule option and
> modifier stack. With a 'content' rule option, we cannot mix options
> like 'http_header' and 'http_raw_header', otherwise, Snort throws an
> error. Does the same apply to using the various Snort-specific URI
> modifiers in 'pcre'?
> I.e., should using 'U' (like http_uri) forbid 'I' (like http_raw_uri)?
> Ditto for 'H' & 'D', and 'C' & 'K'.
> How about using the 'B' (like rawbytes) modifier? Again with
> we cannot use 'rawbytes' and any http_* modifier. Should the use of
> forbid the use of 'U', 'I', 'P', 'H', 'D', 'M' , 'C', 'K', 'S', & 'Y'?
> Currently, Snort doesn't enforce any parser check against a rule using
> such a combination. I've only been testing the parser (and looking at
> the code for the parser for some of these options), so I haven't tried
> validating this against any actual traffic as of yet.
> And how is the 'O' modifier used? Its description in the manual
> states that it overrides pcre_match_limit....but with what? Does it
> simply instruct Snort to just ignore the aforementioned limit, or does
> this modifier take an argument somehow? I haven't studied the source
> well enough to figure out what this specific modifier is doing.
> Also, the manual needs to mention the exclusivity of the
> 'R' (relative)
> and URI modifiers. An error condition is thrown when the parser
> them used together, but I see no mention in the manual of this check.
> The manual does, however, mention not to use 'R' and 'B' together
> (why?), but the parser does not actually enforce this (which is
> This SF.net email is sponsored by
> Make an app they can't live without
> Enter the BlackBerry Developer Challenge
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
More information about the Snort-devel