[PATCH] Add a better example for pcre in the manual

[Joshua Kinard <kumba () gentoo org>]

The example bit in the manual for pcre is a bit plain and really could lead
to a novice user using the option incorrectly.  The attached patch adds a
saner example:

     alert tcp any any -> any 80 (content:"/foo.php?id=";
pcre:"/\/foo.php?id=[0-9]{1,10}/iU";)


It demonstrates two things:

1. Using a content match to allow the fast-pattern matcher to prefilter
non-matching packets so that the pcre engine only checks a minimal number of
packets.  This is one of the less-understood uses of pcre, in my opinion.

2. How a pcre enhances a content match by being able to look for variable
data while content can only look for static data, with HTTP URI strings
being a fairly common use-case.

The patch also adds an extra "note" section detailing #1 above.

Changes:
 snort_manual.tex |   10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)


Cheers!

-- 
Joshua Kinard
Gentoo/MIPS
kumba () gentoo org
4096R/D25D95E3 2011-03-28

"The past tempts us, the present confuses us, the future frightens us.  And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

Attachment: snort-2.9.2-better-pcre-example.patch
Description:

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel

Please visit http://blog.snort.org for the latest news about Snort!