Re: PCRE /PR modifiers

[Nick Randolph <drandolph () sourcefire com>]

The note under the list of PCRE options says they can't be used together.

*Note: * The modifiers R (relative) and B (rawbytes) are not allowed 
with any of the HTTP modifiers such as U, I, P, H, D, M, C, K, S and Y.

You could try this
content:"ABC|3A|"; pcre:"/ABC\x3A(doA|doB|doC)/P";

On 07/07/2015 02:02 PM, lists () packetmail net wrote:
> On 07/07/15 12:56, Y M wrote:
> > content:"ABC|3A|"; http_client_body; pcre:"/(doA|doB|doC)/PR"; and this is where
> > I got the error.
> pcre:"/do[ABC]/R" maybe?
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!