pcre
The pcre rule option matches regular expression strings against packet data.
Regular expressions written for these two options use perl-compatible regular expression (PCRE) syntax, which can be read about here.
The regular expression written is enclosed in double quotes and must start and end with forward slashes. Users can specify optional "flags" after the ending forward slash to denote pcre modifiers. A table of these flags/modifiers can be found below in the two "Format" sections.
Note: Snort 3 no longer contains HTTP-specific pcre flags since HTTP buffers are now sticky. Simply specify the
http_*buffer before declaringpcreto evaluate the regular expression there.
A pcre rule option can be negated to tell Snort to alert only if that regular expression is not matched.
Format:
pcre:[!]"/pcre_string/[flag…]";| Flag | Explanation |
|---|---|
i | case insensitive |
s | include newlines in the dot metacharacter |
m | By default, a pcre string is treated as one big line of characters, and '^' and '$' match at the beginning and ending of the string. When m is set, '^' and '$' match immediately following or immediately before any newline in the buffer, as well as the very start and very end of the buffer. |
x | specifies that whitespace data characters in the pattern are ignored except when escaped or inside a character class |
A | specifies the pattern must match only at the start of the buffer (same as specifying the '^' character) |
E | sets '$' to match only at the end of the subject string |
G | inverts the "greediness" of the quantifiers so that they are not greedy by default, but become greedy if followed by '?' |
O | overrides the configured pcre match limit and pcre match limit recursion for this expression |
R | start the regex search from the end of the last match instead of start of buffer |
Examples:
pcre:"/^file\x3a\x2f\x2f[^\n]{400}/mi";
http_uri;
content:"/vulnerable_endpoint.php",fast_pattern,nocase;
# pcre gets evaluated against data in the specified sticky buffer
pcre:"/[?&]interface=[\x60\x3b]/i";
Note: Because regular expressions are relatively costly from a performance standpoint, rules that use a
pcreshould also have at least onecontentmatch to take advantage of Snort's fast-pattern engine.