[Snort-devel] [PATCH] Add a better example for pcre in the manual

Joshua Kinard kumba at ...2185...
Mon Dec 26 19:19:47 EST 2011


The example bit in the manual for pcre is a bit plain and really could lead
to a novice user using the option incorrectly.  The attached patch adds a
saner example:

     alert tcp any any -> any 80 (content:"/foo.php?id=";
pcre:"/\/foo.php?id=[0-9]{1,10}/iU";)


It demonstrates two things:

1. Using a content match to allow the fast-pattern matcher to prefilter
non-matching packets so that the pcre engine only checks a minimal number of
packets.  This is one of the less-understood uses of pcre, in my opinion.

2. How a pcre enhances a content match by being able to look for variable
data while content can only look for static data, with HTTP URI strings
being a fairly common use-case.

The patch also adds an extra "note" section detailing #1 above.

Changes:
 snort_manual.tex |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)


Cheers!

-- 
Joshua Kinard
Gentoo/MIPS
kumba at ...2185...
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snort-2.9.2-better-pcre-example.patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20111226/bf938db6/attachment.ksh>


More information about the Snort-devel mailing list