Enquiry on PCRE

[yew chuan Ong <yewchuan_23 () yahoo com>]

Hi Guys,

I am kind of confuse with the pcre in this rule:
pcre:"/^[^\x3a\x3f]{11,}\x3a\x2f/Usmi"

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Checkpoint Firewall-1 HTTP parsing format 
string vulnerability attempt"; flow:to_server,established; content:"|3A|/"; offset:11; http_uri; 
pcre:"/^[^\x3a\x3f]{11,}\x3a\x2f/Usmi"; reference:bugtraq,9581; reference:cve,2004-0039; reference:nessus,12084; 
classtype:attempted-admin; sid:2381; rev:15;) 

Does it mean that the payload should have ":?" appeared for at least 11 times and following with ":/"?
Thanks!


Regards
YC

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!