[Snort-users] pcre/regex help

Dave Osbourne dave at osbourne.uk.eu.org
Fri Sep 29 08:08:35 EDT 2017


I'm not sure that I'm answering your question, but I use this:

    pcre:"/[0-9A-Za-z\.\_\-]{1,100}@[0-9A-Za-z\.\_\-]{2,100}/"

D

On 2017-09-29 13:04, John Hally wrote:
>
> Hi All,
>
> I’m trying to write a rule to capture email addresses being submitted 
> to a web application and I cant seem to get the regex to work.
>
> alert tcp $EXTERNAL_NET any -> any 80 (msg:"Target Email Detected"; 
> pcre:"/.+\@.+\..+"; fast_pattern:only; nocase; classtype: Target Email 
> Detected ;sid:1000023 ;)
>
> I get the following error when running snort –T:
>
> ERROR: /etc/snort/rules/local.rules Line 30 => unable to parse pcre 
> regex ".+\@.+\..+"
>
> Any help would be greatly appreciated!
>
> Thanks
>
> John.
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170929/4f48636e/attachment.html>


More information about the Snort-users mailing list