[Snort-sigs] Matching PCRE

Matt Olney molney at ...435...
Tue Jan 19 16:13:46 EST 2010

I think greediness may be biting you in the butt...

So this would match:

  re> /(\w+).?=.?\1/   <----rough rewrite of your pcre
data> applee=eapple
 0: applee=eapple
 1: apple
data> sap=bsa
 0: sap=bsa
 1: sa
data> buffalo=uffalo
 0: uffalo=uffalo
 1: uffalo
data> buff=abuf
 0: buff=abuf
 1: buf

More information about the Snort-sigs mailing list