Project

General

Profile

Actions
Copy link

Bug #4715

closed

pcre keyword cause more alert!

Added by albert wang about 4 years ago. Updated 4 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

When I use the pcre keyword to detect pcap. It alerted 156 times.
alert smb any any -> any any (msg:"smb test";pcre:"/test/";sid:26;)

But, Change pcre keyword to content keyword, it alerted 5 times.
alert smb any any -> any any (msg:"smb test";content:"test";sid:27;)

What caused this?
Does PCRE change the detection mode ?
If this is the reason, What keyword can make pcre keyword like content keyword work?

Actions
Copy link
 #1

Updated by Philippe Antoine over 2 years ago

Would you have a pcap to reproduce this ?

Also, please note that using pcre on stream without any fixed content will lead to very poor performance

Actions
Copy link
 #2

Updated by Philippe Antoine over 1 year ago

  • Status changed from New to Feedback
  • Target version set to TBD
Actions
Copy link
 #3

Updated by Philippe Antoine over 1 year ago

  • Assignee set to Community Ticket
Actions
Copy link
 #4

Updated by Philippe Antoine 8 months ago

I think this comes from the fact that fixed content will run prefilter somehow

Actions
Copy link
 #5

Updated by Philippe Antoine 4 months ago

  • Status changed from Feedback to Rejected

Closing as stale

Actions
Copy link

Also available in: Atom PDF