Snort mailing list archives
How does Snort implement PCRE (?C callout functionality in snort rule?
From: "Shields, Joseph (NIH/NIEHS) [C]" <joseph.shields () nih gov>
Date: Tue, 26 Feb 2013 21:02:32 +0000
I need to use regex (in snort) to look for pattern with the lookahead option. So, if a character match is an "a" (decimal 97), then I need to see if the next character is a "g"(decimal 103). This difference is 6 which is what I want to verify. This is not a plaintext analysis looking for "ag". The input stream is binary and I am looking for a pattern. So the first match could also be the letter "b" (dec. 98), then the next character needs to be "h" (dec. 104) in order to be 6 characters apart. I think the only way to do this is to use the perl equivalent of (?{code}). I understand PCRE emulates this with (?Cn) where n is a number ref from 0 to 255. I do not know how Snort is enabling the use of this callout function feature. I have searched for examples and in manuals but have not found anything useful so far. I'm hoping someone can help. I don't have the perl regex working yet either. I suspect it would look something like this: (.)(?{6=(ord(.)-ord(\1)}) I'm using perl to do my testing of the regex code. Any help is much appreciated. Brian Ps. Wikipedia notes difference ("differences from perl") between pcre and perl for "experimental Perl constructs. It seems this has been available for some time now so I wonder why it is still labeled experimental??? (I disabled this link here to ensure you enter it. Nothing hidden) http:// en.wikipedia.org/wiki/Perl_Compatible_Regular_Expressions
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- How does Snort implement PCRE (?C callout functionality in snort rule? Shields, Joseph (NIH/NIEHS) [C] (Feb 26)