Project

General

Profile

Actions
Copy link

Bug #4715

open

pcre keyword cause more alert!

Added by albert wang about 3 years ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

When I use the pcre keyword to detect pcap. It alerted 156 times.
alert smb any any -> any any (msg:"smb test";pcre:"/test/";sid:26;)

But, Change pcre keyword to content keyword, it alerted 5 times.
alert smb any any -> any any (msg:"smb test";content:"test";sid:27;)

What caused this?
Does PCRE change the detection mode ?
If this is the reason, What keyword can make pcre keyword like content keyword work?

Actions
Copy link
 #1

Updated by Philippe Antoine over 1 year ago

Would you have a pcap to reproduce this ?

Also, please note that using pcre on stream without any fixed content will lead to very poor performance

Actions
Copy link
 #2

Updated by Philippe Antoine 5 months ago

  • Status changed from New to Feedback
  • Target version set to TBD
Actions
Copy link
 #3

Updated by Philippe Antoine 4 months ago

  • Assignee set to Community Ticket
Actions
Copy link

Also available in: Atom PDF