Project

General

Profile

Actions

Bug #4715

open

pcre keyword cause more alert!

Added by albert wang about 3 years ago. Updated 4 months ago.

Status:
Feedback
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When I use the pcre keyword to detect pcap. It alerted 156 times.
alert smb any any -> any any (msg:"smb test";pcre:"/test/";sid:26;)

But, Change pcre keyword to content keyword, it alerted 5 times.
alert smb any any -> any any (msg:"smb test";content:"test";sid:27;)

What caused this?
Does PCRE change the detection mode ?
If this is the reason, What keyword can make pcre keyword like content keyword work?

Actions

Also available in: Atom PDF