Re: /smi at the end of pcre statements

[Nigel Houghton <nhoughton () sourcefire com>]

On Mon, Mar 16, 2009 at 1:19 PM, Stephen Mullins
<steve.mullins.work () gmail com> wrote:
> Thanks, that will come in handy, especially the Snort specific portion.
>
> The "/smi" question is still stumping me and some of my colleagues.

http://www.snort.org/docs/snort_htmanuals/htmanual_2832/node274.html

Snort Users Manual

Format

pcre:[!]"(/<regex>/|m<delim><regex><delim>)[ismxAEGRUB]";

The post-re modifiers set compile time flags for the regular expression.

Table 3.6: Perl compatible modifiers

i       case insensitive

s       include newlines in the dot metacharacter

m       By default, the string is treated as one big line of characters. ^
and $ match at the beginning and ending of the string. When m is set,
^ and $ match immediately following or immediately before any newline
in the buffer, as well as the very start and very end of the buffer.

Extrapolating this information gives us:

smi == include newlines in the dot metacharacter, match the start and
end immediately following or before any newline as well as the start
and end of the buffer and make it case insensitive

-- 
Nigel Houghton
Head Mentalist
SF VRT
http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/

------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users