Feature #8133: Relative pcre with negative distance to previous content match - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #8133

open

Relative pcre with negative distance to previous content match

Added by A. Iooss about 23 hours ago.

Status:

New

Priority:

Normal

Assignee:

Target version:

TBD

Effort:

Difficulty:

Label:

Description

Currently Suricata implements the R PCRE modifier to allow the equivalent of distance:0. This is enough in most use case, except when using PCRE extraction.

See for example this rule:
alert ip any any -> any any (flow:to_server; content: "ECSC_"; pcre: "/(ECSC_[A-Za-z0-9\/+]{32})/, flow:match"; sid: 1;)
Because the extraction needs to contain the ECSC_ prefix, the R modifier cannot be used.

This is problematic when trying to extract multiple values, as PCRE will return the first found match.

No data to display

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #8133

Relative pcre with negative distance to previous content match