[Bro] Questions about signature regexes
christian at whoop.org
Sat Jan 28 11:00:00 PST 2006
a few quick questions about the regular expressions used in rule content
- Are they PCREs? I see a lot of "# Not supported: pcre" in
scripts/23b/example_bro_files/signatures.sig and wanted to make sure.
- When I want a pattern to match at the beginning of the payload, I
presume I have to say "payload /^", right?
- Can I match on fixed TCP stream content of a given length by giving
the whole string surrounded by ^ and $, i.e., this:
More information about the Bro