[Snort-sigs] pcre syntax error for sid 1229

Brian bmc at ...95...
Fri Mar 19 09:02:25 EST 2004


On Fri, Mar 19, 2004 at 01:47:47PM +0100, Milani Paolo wrote:
> sid 1229 "FTP CWD ..." (from a 2.1 snapshot which is only a few days
> old) gives a lot of false positives because of an error in the
> regular expression syntax: the special character '.' (match anything
> except $) was not escaped.

Yep, this change has already been pushed out to HEAD.   I'm not sure
why the sync to 2_1 didn't include them.  I'll check on that shortly.

> As a sidenote: isn't using non-greedy quantifiers very bad in terms
> of performance? 

Nope.  We want to match as few times as possible while still allowing
the rest of the pattern to match to dump out as quickly as possible.

Brian




More information about the Snort-sigs mailing list