PCRE /PR modifiers

[Y M <snort () outlook com>]

Hi,
According to the documentation (http://manual.snort.org/node32.html#pcre-mod_snort), the PCRE modifiers P and R can be 
used to match content in HTTP request body in a relative manner and are similar to http_client_body and distance:0, 
respectively. 
While testing with a rule that uses both PCRE modifiers, I kept receiving the below error:
PCRE unsupported configuration : both relative & uri options specified
Not sure why the error refers to uri options, although the rule did not involve any uri content modifiers. For example, 
assume the following HTTP request bodies from different sessions:
ABC:doAABC:doBABC:doC
What I have been testing was something like:
content:"ABC|3A|"; http_client_body; pcre:"/(doA|doB|doC)/PR"; and this is where I got the error.
Does this mean that the PCRE "R" modifier works only with uri content matches, or is it because the "P" modifier 
matches the unnormalized HTTP body? This was strange to me because while testing I recall that using relative matches 
with http_client_body (ie.: not using PCRE) and distance:0 works just fine.
Thanks.YM

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!