[Bro] regular expressions in bro signatures (payload)

Robin Sommer sommer at in.tum.de
Sat Apr 30 01:25:09 PDT 2005

On Fri, Apr 29, 2005 at 14:46 -0500, you wrote:

> How I can (or cannot) use regular expressions in payload directive
> in bro signatures ?

The payload directive supports all of Bro's usual regular expression
operators. IIRC, there's a section on patterns in Bro's manual (Bro
uses the same syntax for regexps than flex).

You're right, snort2bro does not support pcre yet. There's an
experimental version which does but that isn't finished yet.

(Btw, Bro's signatures supported regular expressions even before
Snort got pcre. :-)

> Also, are RE in signatures case sensitive too ? 

Yes, they are.


Robin Sommer * Room        01.08.055 * www.net.in.tum.de
TU Muenchen  * Phone (089) 289-18006 *  sommer at in.tum.de 

More information about the Bro mailing list