[Snort-users] How does Snort implement PCRE (?C callout functionality in snort rule?

Shields, Joseph (NIH/NIEHS) [C] joseph.shields at ...7983...
Tue Feb 26 16:02:32 EST 2013

I need to use regex (in snort) to look for pattern with the lookahead option. So, if a character match is an "a" (decimal 97), then I need to see if the next character is a "g"(decimal 103).  This difference is 6 which is what I want to verify.  This is not a plaintext analysis looking for "ag".  The input stream is binary and I am looking for a pattern.  So the first match could also be the letter "b" (dec. 98), then the next character needs to be "h" (dec. 104) in order to be 6 characters apart.  I think the only way to do this is to use the perl equivalent of (?{code}).  I understand PCRE  emulates this with (?Cn) where n is a number ref from 0 to 255.  I do not know how Snort is enabling the use of this callout function feature.  I have searched for examples and in manuals but have not found anything useful so far.  I'm hoping someone can help.
   I don't have the perl regex working yet either.  I suspect it would look something like this:

I'm using perl to do my testing of the regex code.  Any help is much appreciated.


Ps. Wikipedia notes difference ("differences from perl") between pcre and perl for "experimental Perl constructs.  It seems this has been available for some time now so I wonder why it is still labeled experimental??? (I disabled this link here to ensure you enter it.  Nothing hidden) http://        en.wikipedia.org/wiki/Perl_Compatible_Regular_Expressions
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130226/00c9b656/attachment.html>

More information about the Snort-users mailing list