Snort mailing list archives

Re: pcre/regex help

From: Dave Osbourne <dave () osbourne uk eu org>
Date: Fri, 29 Sep 2017 13:08:35 +0100


I'm not sure that I'm answering your question, but I use this:

   pcre:"/[0-9A-Za-z\.\_\-]{1,100}@[0-9A-Za-z\.\_\-]{2,100}/"

D

On 2017-09-29 13:04, John Hally wrote:

Hi All,
I’m trying to write a rule to capture email addresses being submittedto a web application and I cant seem to get the regex to work.
alert tcp $EXTERNAL_NET any -> any 80 (msg:"Target Email Detected";pcre:"/.+\@.+\..+"; fast_pattern:only; nocase; classtype: Target EmailDetected ;sid:1000023 ;)
I get the following error when running snort –T:
ERROR: /etc/snort/rules/local.rules Line 30 => unable to parse pcreregex ".+\@.+\..+"
Any help would be greatly appreciated!

Thanks

John.



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

pcre/regex help John Hally (Sep 29)
- Re: pcre/regex help Dave Osbourne (Sep 29)
- Re: pcre/regex help wkitty42 (Sep 29)