/R 在 snort 的 pcre 规则选项中意味着什么?
What does /R mean in snort's pcre rule option?
我正在尝试生成一些可以触发 snort 警报的跟踪以测试 snort 的性能。但是有些规则里面的pcre选项里面有/R,我看不懂。
比如在一个snort规则pcre中有一个pcre选项:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR",我不知道"R"是什么意思。我知道"s"是一个可以设置PCRE_DOTALL的pcre修饰符。但是 "R" 呢?它也是修饰符还是其他?
我搜索了 pcre 文档,但没有找到 "R" 修饰符。所以我认为它不是修饰符。
这是一个示例规则,其中包含带有 /R 的 pcre 选项,我从 snort3 的社区规则中获得了这条规则。
alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS
Microsoft Windows SMB unicode andx invalid server name share access";
content:"|11|",depth 1; content:"|00|",distance 13;
content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3;
pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR";
byte_test:1,&,128,6,relative; content:"u",depth 1,offset 39;
byte_jump:2,0,little,relative; byte_jump:2,7,little,relative;
content:"|5C 00 5C 00|",distance 2,nocase;
pcre:!"/^([^\x5C\x00].|[\x5c\x00][^\x00])+\x5C\x00/sR";
metadata:policy max-detect-ips drop; reference:cve,2010-0022;
reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012;
classtype:protocol-command-decode; sid:16403; rev:12; )
R修饰符不是原生 PCRE 修饰符,它是 Snort 特定于 PCRE 正则表达式的修饰符,它使 Snort3 能够强制执行特定的模式行为。
参见Snort3 "3.5.26.1 Format" documentation:
R Match relative to the end of the last pattern match. (Similar to distance:0;)
...
The modifiers R (relative) and B (rawbytes) are not allowed with any of the HTTP modifiers such as U, I, P, H, D, M, C, K, S and Y.
请注意,acc。到 Rules Authors Introduction to Writing Snort 3 Rules:
In Snort 2, the post-re modifiers (B, U, P, H, M, C, I, D, K, S, Y) set compile time flags for the regular expression. For example, the Snort specific modifier for pcre U is used to match the decoded URI buffers.
In Snort 3, some of post-re modifiers (B, U, P, H, M, C, I, D, K, S, Y) have been deleted in favor of sticky
buffers.
我正在尝试生成一些可以触发 snort 警报的跟踪以测试 snort 的性能。但是有些规则里面的pcre选项里面有/R,我看不懂。
比如在一个snort规则pcre中有一个pcre选项:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR",我不知道"R"是什么意思。我知道"s"是一个可以设置PCRE_DOTALL的pcre修饰符。但是 "R" 呢?它也是修饰符还是其他?
我搜索了 pcre 文档,但没有找到 "R" 修饰符。所以我认为它不是修饰符。
这是一个示例规则,其中包含带有 /R 的 pcre 选项,我从 snort3 的社区规则中获得了这条规则。
alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u",depth 1,offset 39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"|5C 00 5C 00|",distance 2,nocase; pcre:!"/^([^\x5C\x00].|[\x5c\x00][^\x00])+\x5C\x00/sR"; metadata:policy max-detect-ips drop; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16403; rev:12; )
R修饰符不是原生 PCRE 修饰符,它是 Snort 特定于 PCRE 正则表达式的修饰符,它使 Snort3 能够强制执行特定的模式行为。
参见Snort3 "3.5.26.1 Format" documentation:
R Match relative to the end of the last pattern match. (Similar to distance:0;)
...
The modifiers R (relative) and B (rawbytes) are not allowed with any of the HTTP modifiers such as U, I, P, H, D, M, C, K, S and Y.
请注意,acc。到 Rules Authors Introduction to Writing Snort 3 Rules:
In Snort 2, the post-re modifiers (
B,U,P,H,M,C,I,D,K,S,Y) set compile time flags for the regular expression. For example, the Snort specific modifier for pcre U is used to match the decoded URI buffers.
In Snort 3, some of post-re modifiers (B,U,P,H,M,C,I,D,K,S,Y) have been deleted in favor of sticky buffers.