Project

General

Profile

Actions
Copy link

Bug #4715

open

pcre keyword cause more alert!

Added by albert wang over 2 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

When I use the pcre keyword to detect pcap. It alerted 156 times.
alert smb any any -> any any (msg:"smb test";pcre:"/test/";sid:26;)

But, Change pcre keyword to content keyword, it alerted 5 times.
alert smb any any -> any any (msg:"smb test";content:"test";sid:27;)

What caused this?
Does PCRE change the detection mode ?
If this is the reason, What keyword can make pcre keyword like content keyword work?

Actions
Copy link
 #1

Updated by Philippe Antoine 10 months ago

Would you have a pcap to reproduce this ?

Also, please note that using pcre on stream without any fixed content will lead to very poor performance

Actions
Copy link

Also available in: Atom PDF