[Snort-sigs] Matching PCRE

Paul Schmehl pschmehl_lists at ...3425...
Tue Jan 19 22:31:00 EST 2010


Yes, but in practice that means that \1 can match eapples with apple and 
sams with hams and adams with ams.  But I only want sams to match sams and 
eapples to match eapples and adams with adams.

--On January 19, 2010 6:45:45 PM -0600 Joel Esler <jesler at ...435...> 
wrote:

>
> \1 will match a previous parenthetical match. \2, etc.
>
> --
> Joel Esler
>
> On Jan 19, 2010, at 7:07 PM, Paul Schmehl <pschmehl_lists at ...3425...>
> wrote:
>
>> Which raised a question in mind which I've been unable to find an
>> answer to.
>> Is there any sort of backreference in pcre that requires an *exact*
>> match with
>> the previous string?  IOW, if I have eeapple as a match, is there
>> anyway to
>> force the backreference to only match on the entire string and not
>> any one part
>> of it?
>>
>> I poked around on the web and found \$ and \0, but neither seemed to
>> do the
>> trick.  I could return to \d instead of \w, but that would eliminate
>> an entire
>> class of sql injection matches (e.g. or a=a, etc.)
>>
>> --On Tuesday, January 19, 2010 15:13:46 -0600 Matt Olney
>> <molney at ...435...> wrote:
>>
>>>
>>> I think greediness may be biting you in the butt...
>>>
>>>
>>> So this would match:
>>>
>>>  re> /(\w+).?=.?\1/   <----rough rewrite of your pcre
>>> data> applee=eapple
>>> 0: applee=eapple
>>> 1: apple
>>> data> sap=bsa
>>> 0: sap=bsa
>>> 1: sa
>>> data> buffalo=uffalo
>>> 0: uffalo=uffalo
>>> 1: uffalo
>>> data> buff=abuf
>>> 0: buff=abuf
>>> 1: buf
>>
>>
>>
>> --
>> Paul Schmehl, Senior Infosec Analyst
>> As if it wasn't already obvious, my opinions
>> are my own and not those of my employer.
>> *******************************************
>> "It is as useless to argue with those who have
>> renounced the use of reason as to administer
>> medication to the dead." Thomas Jefferson
>>
>>
>> ---
>> ---
>> ---
>> ---------------------------------------------------------------------
>> Throughout its 18-year history, RSA Conference consistently attracts
>> the
>> world's best and brightest in the field, creating opportunities for
>> Conference
>> attendees to learn about information security's most important
>> issues through
>> interactions with peers, luminaries and emerging and established
>> companies.
>> http://p.sf.net/sfu/rsaconf-dev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs



Paul Schmehl, If it isn't already
obvious, my opinions are my own
and not those of my employer.
******************************************
WARNING: Check the headers before replying





More information about the Snort-sigs mailing list