Suricata

I typo'd the pcre from memory, but you know what i mean...

pcre:"/^(?:\d{1,3}\.){3}\d{1,3}(?:\x3a\d{1,5})?$/W";

A simple "is_ip" should be fairly simple. I wonder though if it should go a bit wider: like if there is a notation like [1.2.3.4] or it includes a port like 1.2.3.4:666, or a list of IP's that are sometimes seen in XFF headers.

Victor Julien wrote in #note-4:

A simple "is_ip" should be fairly simple. I wonder though if it should go a bit wider:

going wider would be great, but also, taking a step forward to remove this PCRE from rules (includes some that are dedicated for the entire purpose of detecting an IP in the http.host header) would be amazing.

A good start for a "wider" approach might be to allow the selection of what type of IP it is?

Taken directly from Rust's IpAddr - https://doc.rust-lang.org/std/net/enum.IpAddr.html#method.is_global
is_ip:is_global;
is_ip:!is_global;
is_ip:is_ipv4;
is_ip:is_ipv6;
is_ip; (either ipv4 or ipv6)

etc.