[Snort-sigs] Matching PCRE

Paul Schmehl pschmehl_lists at ...3425...
Tue Jan 19 19:07:07 EST 2010


Which raised a question in mind which I've been unable to find an answer to. 
Is there any sort of backreference in pcre that requires an *exact* match with 
the previous string?  IOW, if I have eeapple as a match, is there anyway to 
force the backreference to only match on the entire string and not any one part 
of it?

I poked around on the web and found \$ and \0, but neither seemed to do the 
trick.  I could return to \d instead of \w, but that would eliminate an entire 
class of sql injection matches (e.g. or a=a, etc.)

--On Tuesday, January 19, 2010 15:13:46 -0600 Matt Olney 
<molney at ...435...> wrote:

>
> I think greediness may be biting you in the butt...
>
>
> So this would match:
>
>   re> /(\w+).?=.?\1/   <----rough rewrite of your pcre
> data> applee=eapple
>  0: applee=eapple
>  1: apple
> data> sap=bsa
>  0: sap=bsa
>  1: sa
> data> buffalo=uffalo
>  0: uffalo=uffalo
>  1: uffalo
> data> buff=abuf
>  0: buff=abuf
>  1: buf



-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson





More information about the Snort-sigs mailing list