https://inliniac.net/blog/tag/pcre/ Recent content in Pcre on Inliniac Hugo en Tue, 20 Dec 2016 18:37:05 +0000 https://inliniac.net/blog/2016/12/20/suricata-bits-ints-and-vars/ Tue, 20 Dec 2016 18:37:05 +0000 https://inliniac.net/blog/2016/12/20/suricata-bits-ints-and-vars/ <p>Since the beginning of the project we&rsquo;ve spoken about variables on multiple levels. Of course flowbits defined by the Snort language came first, but other flow based variables quickly followed: flowints for basic counting, and vars for extracting data using pcre expressions.</p> <p>I&rsquo;ve always thought of the pcre data extraction using substring capture as a potentially powerful feature. However the implementation was lacking. The extracted data couldn&rsquo;t really be used for much.</p> https://inliniac.net/blog/2011/10/12/suricata-and-pcre-performance/ Wed, 12 Oct 2011 18:26:19 +0000 https://inliniac.net/blog/2011/10/12/suricata-and-pcre-performance/ <p><strong>Update:</strong> Will Metcalf <a href="https://twitter.com/#!/node5/status/124193666377064448">pointed out</a> I was missing the &ndash;enable-utf8 &ndash;enable-unicode-properties flags from PCRE, so added these &amp; updated the numbers. Thanks Will.</p> <p>In the Emerging Threats community the following if often heard: &ldquo;PCRE is evil&rdquo;. With this people refer to signatures that use &ldquo;pure&rdquo; PCRE matches, meaning without anchoring it to a content pattern match.</p> <p>A while ago Will Metcalf initiated work to get Suricata to support a new PCRE feature by Herczeg Zoltán: <a href="http://sljit.sourceforge.net/pcre.html">SLJIT</a>. Since then, support for this has found it&rsquo;s way into the official PCRE release, currently at version <a href="https://lists.exim.org/lurker/message/20111011.103546.de2e9e31.en.html">8.20-RC3</a>.</p>