[Snort-sigs] PCRE /PR modifiers

Nick Randolph drandolph at ...435...
Tue Jul 7 14:04:10 EDT 2015


The note under the list of PCRE options says they can't be used together.

*Note: * The modifiers R (relative) and B (rawbytes) are not allowed 
with any of the HTTP modifiers such as U, I, P, H, D, M, C, K, S and Y.

You could try this
content:"ABC|3A|"; pcre:"/ABC\x3A(doA|doB|doC)/P";

On 07/07/2015 02:02 PM, lists at ...3397... wrote:
> On 07/07/15 12:56, Y M wrote:
>> content:"ABC|3A|"; http_client_body; pcre:"/(doA|doB|doC)/PR"; and this is where
>> I got the error.
> pcre:"/do[ABC]/R" maybe?
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150707/8da7b22f/attachment.html>


More information about the Snort-sigs mailing list