From e21e432738e98dd60ca9ef05a860cbb30345d510 Mon Sep 17 00:00:00 2001 From: pilcrow Date: Tue, 20 Sep 2011 22:30:14 -0500 Subject: [PATCH] Always try PCRE_NO_AUTO_CAPTURE first for signature regexes. Many, many pcre: signatures specify (...) when the more efficient (?:...) is all that is needed. This change attempts to force PCRE_NO_AUTO_CAPTURE on all unnamed capture groups, reverting to capturing when necessary, e.g., when \1 is referenced. --- src/detect-pcre.c | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) diff --git a/src/detect-pcre.c b/src/detect-pcre.c index 8e83ff9..852b567 100644 --- a/src/detect-pcre.c +++ b/src/detect-pcre.c @@ -746,6 +746,7 @@ int DetectPcreMatch (ThreadVars *t, DetectEngineThreadCtx *det_ctx, Packet *p, DetectPcreData *DetectPcreParse (char *regexstr) { + int ec; const char *eb; int eo; int opts = 0; @@ -874,7 +875,16 @@ DetectPcreData *DetectPcreParse (char *regexstr) //printf("DetectPcreParse: \"%s\"\n", re); - pd->re = pcre_compile(re, opts, &eb, &eo, NULL); + /* Try to compile as if all (...) groups had been meant as (?:...), + * which is the common case in most rules. + * If we fail because a capture group is later referenced (e.g., \1), + * PCRE will let us know. + */ + pd->re = pcre_compile2(re, opts | PCRE_NO_AUTO_CAPTURE, &ec, &eb, &eo, NULL); + if (pd->re == NULL && ec == 15) { // reference to non-existent subpattern + pd->re = pcre_compile(re, opts, &eb, &eo, NULL); + } + if(pd->re == NULL) { SCLogError(SC_ERR_PCRE_COMPILE, "pcre compile of \"%s\" failed at offset %" PRId32 ": %s", regexstr, eo, eb); goto error; -- 1.7.4.1