[Snort-sigs] Matching PCRE

Joel Esler jesler at ...435...
Tue Jan 19 19:45:45 EST 2010


\1 will match a previous parenthetical match. \2, etc.

--
Joel Esler

On Jan 19, 2010, at 7:07 PM, Paul Schmehl <pschmehl_lists at ...3425...>  
wrote:

> Which raised a question in mind which I've been unable to find an  
> answer to.
> Is there any sort of backreference in pcre that requires an *exact*  
> match with
> the previous string?  IOW, if I have eeapple as a match, is there  
> anyway to
> force the backreference to only match on the entire string and not  
> any one part
> of it?
>
> I poked around on the web and found \$ and \0, but neither seemed to  
> do the
> trick.  I could return to \d instead of \w, but that would eliminate  
> an entire
> class of sql injection matches (e.g. or a=a, etc.)
>
> --On Tuesday, January 19, 2010 15:13:46 -0600 Matt Olney
> <molney at ...435...> wrote:
>
>>
>> I think greediness may be biting you in the butt...
>>
>>
>> So this would match:
>>
>>  re> /(\w+).?=.?\1/   <----rough rewrite of your pcre
>> data> applee=eapple
>> 0: applee=eapple
>> 1: apple
>> data> sap=bsa
>> 0: sap=bsa
>> 1: sa
>> data> buffalo=uffalo
>> 0: uffalo=uffalo
>> 1: uffalo
>> data> buff=abuf
>> 0: buff=abuf
>> 1: buf
>
>
>
> -- 
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *******************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts  
> the
> world's best and brightest in the field, creating opportunities for  
> Conference
> attendees to learn about information security's most important  
> issues through
> interactions with peers, luminaries and emerging and established  
> companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list