[Snort-sigs] pcre syntax error for sid 1229

Brian bmc at ...95...
Fri Mar 19 09:02:25 EST 2004

On Fri, Mar 19, 2004 at 01:47:47PM +0100, Milani Paolo wrote:
> sid 1229 "FTP CWD ..." (from a 2.1 snapshot which is only a few days
> old) gives a lot of false positives because of an error in the
> regular expression syntax: the special character '.' (match anything
> except $) was not escaped.

Yep, this change has already been pushed out to HEAD.   I'm not sure
why the sync to 2_1 didn't include them.  I'll check on that shortly.

> As a sidenote: isn't using non-greedy quantifiers very bad in terms
> of performance? 

Nope.  We want to match as few times as possible while still allowing
the rest of the pattern to match to dump out as quickly as possible.


More information about the Snort-sigs mailing list