[Snort-sigs] Matching PCRE

Paul Schmehl pschmehl_lists at ...3425...
Tue Jan 19 19:01:59 EST 2010


I suspected as much, so I added "G" after the match boundaries.  We'll see if 
that totally breaks the rule.  Hope not.  :-)

--On Tuesday, January 19, 2010 15:13:46 -0600 Matt Olney 
<molney at ...435...> wrote:

>
> I think greediness may be biting you in the butt...
>
>
> So this would match:
>
>   re> /(\w+).?=.?\1/   <----rough rewrite of your pcre
> data> applee=eapple
>  0: applee=eapple
>  1: apple
> data> sap=bsa
>  0: sap=bsa
>  1: sa
> data> buffalo=uffalo
>  0: uffalo=uffalo
>  1: uffalo
> data> buff=abuf
>  0: buff=abuf
>  1: buf



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-sigs mailing list