[Bro] Questions about signature regexes
Christian Kreibich
christian at whoop.org
Sat Jan 28 11:00:00 PST 2006
Hi,
a few quick questions about the regular expressions used in rule content
conditions.
- Are they PCREs? I see a lot of "# Not supported: pcre" in
scripts/23b/example_bro_files/signatures.sig and wanted to make sure.
- When I want a pattern to match at the beginning of the payload, I
presume I have to say "payload /^", right?
- Can I match on fixed TCP stream content of a given length by giving
the whole string surrounded by ^ and $, i.e., this:
payload /^foo$/
Thanks!
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list