regex
The regex rule option matches regular expressions against payload data via the hyperscan search engine.
One of the main advantages to using regex options over pcre options is the ability to use regex regular expressions as fast_pattern matches. Doing so, however, requires that the hyperscan libraries are installed and hyperscan is enabled in the Snort 3 Lua configuration like so:
search_engine = { search_method = "hyperscan" }
Like the pcre option, these regular expressions follow the perl-compatible regular expression (PCRE) syntax, are enclosed in double quotes, and must start and end with forward slashes.
Similar to pcre, regex options are evaluated against any sticky buffer that precedes it.
Regular expressions written for regex options have access to only a limited set of flags/modifiers, and those compatible flags are shown below.
Format:
regex:"/regex_string/[flag…]"[,fast_pattern][,nocase];| Flag | Explanation |
|---|---|
i | case insensitive |
s | include newlines in the dot metacharacter |
m | By default, a pcre string is treated as one big line of characters, and '^' and '$' match at the beginning and ending of the string. When m is set, '^' and '$' match immediately following or immediately before any newline in the buffer, as well as the very start and very end of the buffer. |
R | start the regex search from the end of the last match instead of start of buffer |
Examples:
regex:"/^file\x3a\x2f\x2f[^\n]{400}/mi",fast_pattern;
http_uri;
# regex gets evaluated against data in the specified sticky buffer
regex:"/\x2fvulnerable_endpoint\x2ephp?interface=[\x60\x3b]/i",fast_pattern;