[Snort-sigs] Question about pcre syntax

Paul Schmehl pauls at ...1311...
Sat Feb 16 15:10:34 EST 2008


Is this correct syntax for pcre?  Or will it not work at all?

prce:"/foo|bar|some|such|thing/";

The intent is to provide a bunch of ors that would match after a previous 
positive content match.

Would it be more efficient (less resource intensive) to write a separate 
rule for each match, even though the entire rule would be the same except 
for the second content match?

Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/





More information about the Snort-sigs mailing list