pcre

The pcre rule option matches regular expression strings against packet data.

Regular expressions written for these two options use perl-compatible regular expression (PCRE) syntax, which can be read about here.

The regular expression written is enclosed in double quotes and must start and end with forward slashes. Users can specify optional "flags" after the ending forward slash to denote pcre modifiers. A table of these flags/modifiers can be found below in the two "Format" sections.

Note: Snort 3 no longer contains HTTP-specific pcre flags since HTTP buffers are now sticky. Simply specify the http_* buffer before declaring pcre to evaluate the regular expression there.

A pcre rule option can be negated to tell Snort to alert only if that regular expression is not matched.

Format:

pcre:[!]"/pcre_string/[flag…]";
FlagExplanation
icase insensitive
sinclude newlines in the dot metacharacter
mBy default, a pcre string is treated as one big line of characters, and '^' and '$' match at the beginning and ending of the string. When m is set, '^' and '$' match immediately following or immediately before any newline in the buffer, as well as the very start and very end of the buffer.
xspecifies that whitespace data characters in the pattern are ignored except when escaped or inside a character class
Aspecifies the pattern must match only at the start of the buffer (same as specifying the '^' character)
Esets '$' to match only at the end of the subject string
Ginverts the "greediness" of the quantifiers so that they are not greedy by default, but become greedy if followed by '?'
Ooverrides the configured pcre match limit and pcre match limit recursion for this expression
Rstart the regex search from the end of the last match instead of start of buffer

Examples:

pcre:"/^file\x3a\x2f\x2f[^\n]{400}/mi";
http_uri;
content:"/vulnerable_endpoint.php",fast_pattern,nocase;
# pcre gets evaluated against data in the specified sticky buffer
pcre:"/[?&]interface=[\x60\x3b]/i";

Note: Because regular expressions are relatively costly from a performance standpoint, rules that use a pcre should also have at least one content match to take advantage of Snort's fast-pattern engine.