aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/github_actions/github/codeql-action-3.26.13
master
main-7.0.x
master-6.0.x
master-5.0.x
master-4.1.x
master-4.0.x
master-3.2.x
suricata-7.0.7
suricata-7.0.6
suricata-6.0.20
suricata-7.0.5
suricata-6.0.19
suricata-6.0.18
suricata-7.0.4
suricata-6.0.17
suricata-7.0.3
suricata-6.0.16
suricata-7.0.2
suricata-6.0.15
suricata-7.0.1
suricata-6.0.14
suricata-7.0.0
suricata-7.0.0-rc2
suricata-6.0.13
suricata-6.0.12
suricata-6.0.11
suricata-7.0.0-rc1
suricata-6.0.10
suricata-6.0.9
suricata-7.0.0-beta1
suricata-6.0.8
suricata-6.0.7
suricata-6.0.6
suricata-5.0.10
suricata-6.0.5
suricata-5.0.9
suricata-6.0.4
suricata-5.0.8
suricata-6.0.3
suricata-5.0.7
suricata-6.0.2
suricata-5.0.6
suricata-6.0.1
suricata-5.0.5
suricata-4.1.10
suricata-4.1.9
suricata-5.0.4
suricata-6.0.0
suricata-6.0.0-rc1
suricata-6.0.0-beta1
suricata-5.0.3
suricata-4.1.8
suricata-4.1.7
suricata-5.0.2
suricata-4.1.6
suricata-5.0.1
suricata-5.0.0
suricata-5.0.0-rc1
suricata-4.1.5
suricata-5.0.0-beta1
suricata-4.1.4
suricata-4.1.3
suricata-4.0.7
suricata-4.1.2
suricata-4.1.1
suricata-4.1.0
suricata-4.0.6
suricata-4.1.0-rc2
suricata-4.1.0-rc1
suricata-4.0.5
suricata-4.1.0-beta1
suricata-4.0.4
suricata-4.0.3
suricata-4.0.2
suricata-3.2.5
suricata-4.0.1
suricata-3.2.4
suricata-4.0.0
suricata-4.0.0-rc2
suricata-3.2.3
suricata-4.0.0-rc1
suricata-4.0.0-beta1
suricata-3.2.2
suricata-3.1.4
suricata-3.2.1
suricata-3.2
suricata-3.2RC1
suricata-3.1.3
suricata-3.2beta1
suricata-3.1.2
suricata-3.1.1
suricata-3.1
suricata-3.0.2
suricata-3.1RC1
suricata-3.0.1
suricata-3.0.1RC1
suricata-3.0
suricata-2.0.11
suricata-3.0RC3
suricata-3.0RC2
suricata-3.0RC1
suricata-2.0.10
suricata-2.0.9
suricata-2.1beta4
suricata-2.0.8
suricata-2.0.7
suricata-2.1beta3
suricata-2.0.6
suricata-2.0.5
suricata-2.1beta2
suricata-2.0.4
suricata-2.1beta1
suricata-2.0.3
suricata-2.0.2
suricata-2.0.1
suricata-2.0.1rc1
suricata-2.0
suricata-2.0rc3
suricata-2.0rc2
suricata-2.0rc1
suricata-2.0beta2
suricata-1.4.7
suricata-1.4.6
suricata-1.4.5
suricata-2.0beta1
suricata-1.4.4
suricata-1.4.3
suricata-1.4.2
suricata-1.4.1
suricata-1.3.6
suricata-1.4
suricata-1.3.5
suricata-1.4rc1
suricata-1.3.4
suricata-1.4beta3
suricata-1.3.3
suricata-1.4beta2
suricata-1.3.2
suricata-1.4beta1
suricata-1.3.1
suricata-1.3
suricata-1.3rc1
suricata-1.3beta2
suricata-1.3beta1
suricata-1.2.1
suricata-1.2
suricata-1.2rc1
suricata-1.2beta1
suricata-1.1.1
suricata-0.8.2
suricata-1.0.0
suricata-1.0.1
suricata-1.0.2
suricata-1.0.3
suricata-1.0.4
suricata-1.0.5
suricata-1.1
suricata-1.1beta1
suricata-1.1beta2
suricata-1.1beta3
suricata-1.1rc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '87dbda1d1e'
${ noResults }
suricata/doc/userguide/rules/pcre.rst

139 lines
5.1 KiB
ReStructuredText
Raw Blame History

pcre (Perl Compatible Regular Expressions)
==========================================
The keyword pcre matches specific on regular expressions. More
information about regular expressions can be found here
http://en.wikipedia.org/wiki/Regular_expression.
The complexity of pcre comes with a high price though: it has a
negative influence on performance. So, to mitigate Suricata from
having to check pcre often, pcre is mostly combined with 'content'. In
that case, the content has to match first, before pcre will be
checked.
Format of pcre::
“/<regex>/opts”;
Example of pcre::
pcre:”/[0-9]{6}/”;
In this example there will be a match if the payload contains six
numbers following.
Example of pcre in a signature:
.. image:: pcre/pcre.png
There are a few qualities of pcre which can be modified:
* By default pcre is case-sensitive.
* The . (dot) is a part of regex. It matches on every byte except for
newline characters.
* By default the payload will be inspected as one line.
These qualities can be modified with the following characters::
i pcre is case insensitive
s pcre does check newline characters
m can make one line (of the payload) count as two lines
These options are perl compatible modifiers. To use these modifiers,
you should add them to pcre, behind regex. Like this::
pcre: “/<regex>/i”;
*Pcre compatible modifiers*
There are a few pcre compatible modifiers which can change the
qualities of pcre as well. These are:
* ``A``: A pattern has to match at the beginning of a buffer. (In pcre
^ is similar to A.)
* ``E``: Ignores newline characters at the end of the buffer/payload.
* ``G``: Inverts the greediness.
.. note:: The following characters must be escaped inside the content:
``;`` ``\`` ``"``
Suricata's modifiers
~~~~~~~~~~~~~~~~~~~~
Suricata has its own specific pcre modifiers. These are:
* ``R``: Match relative to the last pattern match. It is similar to distance:0;
* ``U``: Makes pcre match on the normalized uri. It matches on the
uri_buffer just like uricontent and content combined with http_uri.U
can be combined with /R. Note that R is relative to the previous
match so both matches have to be in the HTTP-uri buffer. Read more
about :doc:`http-uri-normalization`.
.. image:: pcre/pcre3.png
.. image:: pcre/pcre4.png
.. image:: pcre/pcre5.png
.. image:: pcre/pcre6.png
* ``I``: Makes pcre match on the HTTP-raw-uri. It matches on the same
buffer as http_raw_uri. I can be combined with /R. Note that R is
relative to the previous match so both matches have to be in the
HTTP-raw-uri buffer. Read more about :doc:`http-uri-normalization`.
* ``P``: Makes pcre match on the HTTP- request-body. So, it matches on
the same buffer as http_client_body. P can be combined with /R. Note
that R is relative to the previous match so both matches have to be
in the HTTP-request body.
* ``Q``: Makes pcre match on the HTTP- response-body. So, it matches
on the same buffer as http_server_body. Q can be combined with
/R. Note that R is relative to the previous match so both matches
have to be in the HTTP-response body.
* ``H``: Makes pcre match on the HTTP-header. H can be combined with
/R. Note that R is relative to the previous match so both matches have
to be in the HTTP-header body.
* ``D``: Makes pcre match on the unnormalized header. So, it matches
on the same buffer as http_raw_header. D can be combined with
/R. Note that R is relative to the previous match so both matches
have to be in the HTTP-raw-header.
* ``M``: Makes pcre match on the request-method. So, it matches on the
same buffer as http_method. M can be combined with /R. Note that R
is relative to the previous match so both matches have to be in the
HTTP-method buffer.
* ``C``: Makes pcre match on the HTTP-cookie. So, it matches on the
same buffer as http_cookie. C can be combined with /R. Note that R
is relative to the previous match so both matches have to be in the
HTTP-cookie buffer.
* ``S``: Makes pcre match on the HTTP-stat-code. So, it matches on the
same buffer as http_stat_code. S can be combined with /R. Note that
R is relative to the previous match so both matches have to be in
the HTTP-stat-code buffer.
* ``Y``: Makes pcre match on the HTTP-stat-msg. So, it matches on the
same buffer as http_stat_msg. Y can be combined with /R. Note that
R is relative to the previous match so both matches have to be in
the HTTP-stat-msg buffer.
* ``B``: You can encounter B in signatures but this is just for
compatibility. So, Suricata does not use B but supports it so it
does not cause errors.
* ``O``: Overrides the configures pcre match limit.
* ``V``: Makes pcre match on the HTTP-User-Agent. So, it matches on
the same buffer as http_user_agent. V can be combined with /R. Note
that R is relative to the previous match so both matches have to be
in the HTTP-User-Agent buffer.
* ``W``: Makes pcre match on the HTTP-Host. So, it matches on the same
buffer as http_host. W can be combined with /R. Note that R is
relative to the previous match so both matches have to be in the
HTTP-Host buffer.
Reference in New Issue View Git Blame Copy Permalink