Overview: The pcre Keyword
The
pcre keyword allows
you to use Perl-compatible regular expressions (PCRE) to inspect packet
payloads for specified content. You can use PCRE to avoid writing multiple
rules to match slight variations of the same content.
Regular expressions are useful when searching for content that could be displayed in a variety of ways. The content may have different attributes that you want to account for in your attempt to locate it within a packet’s payload.
Note that the regular expression syntax used in intrusion rules
is a subset of the full regular expression library and varies in some ways from
the syntax used in commands in the full library. When adding a
pcre keyword using
the intrusion rules editor, enter the full value in the following format:
!/pcre/ ismxAEGRBUIPHDMCKSY
where:
-
! is an optional negation (use this if you want to match patterns that do not match the regular expression).
-
/pcre/is a Perl-compatible regular expression. -
ismxAEGRBUIPHDMCKSYis any combination of modifier options.
Also note that you must escape the characters listed in the following table for the rules engine to interpret them correctly when you use them in a PCRE to search for specific content in a packet payload.
|
You must escape... |
with a backslash... |
or Hex code... |
|---|---|---|
|
# (hash mark) |
\# |
\x23 |
|
; (semicolon) |
\; |
\x3B |
|
| (vertical bar) |
\| |
\x7C |
|
: (colon) |
\: |
\x3A |
You can also use
m?regex?, where
? is a delimiter
other than /. You may want to use this in situations where you need to match a
forward slash within a regular expression and do not want to escape it with a
backslash. For example, you might use
m?regex?
ismxAEGRBUIPHDMCKSY where regex is your Perl-compatible regular
expression and
ismxAEGRBUIPHDMCKSY
is any combination of modifier options.
Tip | Optionally, you can surround your Perl-compatible regular
expression with quote characters, for example, pcre_expression or
|