Snort mailing list archives

Previous By Date Next
Previous By Thread Next

How does Snort implement PCRE (?C callout functionality in snort rule?

From: "Shields, Joseph (NIH/NIEHS) [C]" <joseph.shields () nih gov>
Date: Tue, 26 Feb 2013 21:02:32 +0000
I need to use regex (in snort) to look for pattern with the lookahead option. So, if a character match is an "a" 
(decimal 97), then I need to see if the next character is a "g"(decimal 103).  This difference is 6 which is what I 
want to verify.  This is not a plaintext analysis looking for "ag".  The input stream is binary and I am looking for a 
pattern.  So the first match could also be the letter "b" (dec. 98), then the next character needs to be "h" (dec. 104) 
in order to be 6 characters apart.  I think the only way to do this is to use the perl equivalent of (?{code}).  I 
understand PCRE  emulates this with (?Cn) where n is a number ref from 0 to 255.  I do not know how Snort is enabling 
the use of this callout function feature.  I have searched for examples and in manuals but have not found anything 
useful so far.  I'm hoping someone can help.
   I don't have the perl regex working yet either.  I suspect it would look something like this:
(.)(?{6=(ord(.)-ord(\1)})

I'm using perl to do my testing of the regex code.  Any help is much appreciated.

Brian

Ps. Wikipedia notes difference ("differences from perl") between pcre and perl for "experimental Perl constructs.  It 
seems this has been available for some time now so I wonder why it is still labeled experimental??? (I disabled this 
link here to ensure you enter it.  Nothing hidden) http://        
en.wikipedia.org/wiki/Perl_Compatible_Regular_Expressions

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: