[Bro] Questions about signature regexes
Robin Sommer
robin at icir.org
Sat Jan 28 20:23:12 PST 2006
On Sat, Jan 28, 2006 at 19:00 +0000, you wrote:
> - Are they PCREs? I see a lot of "# Not supported: pcre" in
They are regexps but not PCREs; they use Bro's syntax which is
slightly different.
(That reminds me that I've a prototypical pcre->bro converter lying
around somewhere. But actually there doesn't seem to be much
interest in automatically converting Snort sigs these days.)
> - When I want a pattern to match at the beginning of the payload, I
> presume I have to say "payload /^", right?
Right. Alternatively you can just leave the "^" out as the regexps
are implictly anchored at the first byte. To match at arbitrary
positions, a wildcard is required, e.g., "/.*foo/.
> - Can I match on fixed TCP stream content of a given length by giving
> the whole string surrounded by ^ and $, i.e., this:
Yes.
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list