[Snort-sigs] Question about pcre syntax

Joel Esler joel.esler at ...435...
Sat Feb 16 15:26:34 EST 2008


You need parenthesis around the options.  But yes content matches  
would be faster.

--
Joel Esler
Sent from the iRoad.

On Feb 16, 2008, at 3:10 PM, Paul Schmehl <pauls at ...1311...> wrote:

> Is this correct syntax for pcre?  Or will it not work at all?
>
> prce:"/foo|bar|some|such|thing/";
>
> The intent is to provide a bunch of ors that would match after a  
> previous
> positive content match.
>
> Would it be more efficient (less resource intensive) to write a  
> separate
> rule for each match, even though the entire rule would be the same  
> except
> for the second content match?
>
> Paul Schmehl (pauls at ...1311...)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
>
>
> --- 
> ----------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list