[Snort-users] pcre/regex help

wkitty42 at windstream.net wkitty42 at windstream.net
Fri Sep 29 10:47:02 EDT 2017


On 09/29/2017 08:04 AM, John Hally wrote:
> Hi All,
> 
> I’m trying to write a rule to capture email addresses being submitted to a web 
> application and I cant seem to get the regex to work.
> 
> alert tcp $EXTERNAL_NET any -> any 80 (msg:"Target Email Detected"; 
> pcre:"/.+\@.+\..+"; fast_pattern:only; nocase; classtype: Target Email Detected 
> ;sid:1000023 ;)


looks to me like you don't have the closing "/" of the regex in place...


   pcre:"/.+\@.+\..+/";



-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list unless*
        *a signed and pre-paid contract is in effect with us.*



More information about the Snort-users mailing list