[Snort-users] /smi at the end of pcre statements

Nigel Houghton nhoughton at ...1935...
Mon Mar 16 15:03:06 EDT 2009


On Mon, Mar 16, 2009 at 1:19 PM, Stephen Mullins
<steve.mullins.work at ...11827...> wrote:
> Thanks, that will come in handy, especially the Snort specific portion.
>
> The "/smi" question is still stumping me and some of my colleagues.

http://www.snort.org/docs/snort_htmanuals/htmanual_2832/node274.html

Snort Users Manual

Format

pcre:[!]"(/<regex>/|m<delim><regex><delim>)[ismxAEGRUB]";

The post-re modifiers set compile time flags for the regular expression.

Table 3.6: Perl compatible modifiers

i 	case insensitive

s 	include newlines in the dot metacharacter

m 	By default, the string is treated as one big line of characters. ^
and $ match at the beginning and ending of the string. When m is set,
^ and $ match immediately following or immediately before any newline
in the buffer, as well as the very start and very end of the buffer.

Extrapolating this information gives us:

smi == include newlines in the dot metacharacter, match the start and
end immediately following or before any newline as well as the start
and end of the buffer and make it case insensitive

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/




More information about the Snort-users mailing list