[Snort-sigs] Matching PCRE

Matt Olney molney at ...435...
Tue Jan 19 20:07:40 EST 2010


/me stands back and waits.

On Tue, Jan 19, 2010 at 7:45 PM, Joel Esler <jesler at ...435...> wrote:
> \1 will match a previous parenthetical match. \2, etc.
>
> --
> Joel Esler
>
> On Jan 19, 2010, at 7:07 PM, Paul Schmehl <pschmehl_lists at ...3425...> wrote:
>
>> Which raised a question in mind which I've been unable to find an answer
>> to.
>> Is there any sort of backreference in pcre that requires an *exact* match
>> with
>> the previous string?  IOW, if I have eeapple as a match, is there anyway
>> to
>> force the backreference to only match on the entire string and not any one
>> part
>> of it?
>>
>> I poked around on the web and found \$ and \0, but neither seemed to do
>> the
>> trick.  I could return to \d instead of \w, but that would eliminate an
>> entire
>> class of sql injection matches (e.g. or a=a, etc.)
>>
>> --On Tuesday, January 19, 2010 15:13:46 -0600 Matt Olney
>> <molney at ...435...> wrote:
>>
>>>
>>> I think greediness may be biting you in the butt...
>>>
>>>
>>> So this would match:
>>>
>>>  re> /(\w+).?=.?\1/   <----rough rewrite of your pcre
>>> data> applee=eapple
>>> 0: applee=eapple
>>> 1: apple
>>> data> sap=bsa
>>> 0: sap=bsa
>>> 1: sa
>>> data> buffalo=uffalo
>>> 0: uffalo=uffalo
>>> 1: uffalo
>>> data> buff=abuf
>>> 0: buff=abuf
>>> 1: buf
>>
>>
>>
>> --
>> Paul Schmehl, Senior Infosec Analyst
>> As if it wasn't already obvious, my opinions
>> are my own and not those of my employer.
>> *******************************************
>> "It is as useless to argue with those who have
>> renounced the use of reason as to administer
>> medication to the dead." Thomas Jefferson
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Throughout its 18-year history, RSA Conference consistently attracts the
>> world's best and brightest in the field, creating opportunities for
>> Conference
>> attendees to learn about information security's most important issues
>> through
>> interactions with peers, luminaries and emerging and established
>> companies.
>> http://p.sf.net/sfu/rsaconf-dev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list