Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort 3 regex compile issue.

From: ankan chatterjee via Snort-sigs <snort-sigs () lists snort org>
Date: Tue, 2 Aug 2022 13:21:31 +0530
Hello experts,

I am trying to create a regex for a particular pattern which is a UK
National insurance number and passport number.

In the process I see that in snort 3 zero width assertion is not getting
supported and hence I am getting compile error.


FAIL (compile): 1:/^(?!^0+$)[a-zA-Z0-9]{6,9}$/: Zero-width assertions are
not supported.

FAIL (compile): 2:/
(?ms)(\b(?:(?!BG)(?!GB)(?!NK)(?!KN)(?!TN)(?!NT)(?!ZZ)(?:[A-CEGHJ-PR-TW-Z][A-CEGHJ-NPR-TW-Z])(?:\s*\d\s*){6}(?:[A-D]|\s))\b.*?)/:
Zero-width assertions are not supported.

OK: 3:/^[a-z][0-9]$/

FAIL (compile): 4:/(.*)/: Pattern matches empty buffer; use
HS_FLAG_ALLOWEMPTY to enable support.

FAIL (compile): 5:/^(?![0-9])/: Zero-width assertions are not supported.

OK: 6:/(\d{3})\d{3}-\d{4}/

OK: 7:/^([?!0-9])/

SUMMARY: 4 of 7 failed.

Is there a way to write the regex to match the required format ?

The UK NINO format is :


   - Must be 9 characters.
   - First 2 characters must be alpha.
   - Next 6 characters must be numeric.
   - Final character can be A, B, C, D or space.
   - First character must not be D,F,I,Q,U or V.
   - Second characters must not be D, F, I, O, Q, U or V.
   - First 2 characters must not be combinations of GB, NK, TN or ZZ (the
   term combinations covers both GB and BG etc.)


I am stuck in the last one

   - First 2 characters must not be combinations of GB, NK, TN or ZZ (the
   term combinations covers both GB and BG etc.)

   I have attached the rules for reference.


Any help is much appreciated.

Thank you in advance.

Regards,
Ankan

Attachment: snort3rules_NINO.txt
Description:

Attachment: snort3rules_passport.txt
Description: 

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: