Snort mailing list archives
[PATCH] Add a better example for pcre in the manual
From: Joshua Kinard <kumba () gentoo org>
Date: Mon, 26 Dec 2011 19:19:47 -0500
The example bit in the manual for pcre is a bit plain and really could lead to a novice user using the option incorrectly. The attached patch adds a saner example: alert tcp any any -> any 80 (content:"/foo.php?id="; pcre:"/\/foo.php?id=[0-9]{1,10}/iU";) It demonstrates two things: 1. Using a content match to allow the fast-pattern matcher to prefilter non-matching packets so that the pcre engine only checks a minimal number of packets. This is one of the less-understood uses of pcre, in my opinion. 2. How a pcre enhances a content match by being able to look for variable data while content can only look for static data, with HTTP URI strings being a fairly common use-case. The patch also adds an extra "note" section detailing #1 above. Changes: snort_manual.tex | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) Cheers! -- Joshua Kinard Gentoo/MIPS kumba () gentoo org 4096R/D25D95E3 2011-03-28 "The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between." --Emperor Turhan, Centauri Republic
Attachment:
snort-2.9.2-better-pcre-example.patch
Description:
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- [PATCH] Add a better example for pcre in the manual Joshua Kinard (Dec 26)