[Oisf-users] PCRE question
Chris Wakelin
c.d.wakelin at reading.ac.uk
Wed Jul 11 18:16:11 UTC 2012
On 11/07/2012 19:06, kay wrote:
> I have noticed /H modifier. I've never heard about such modifier.
>
> "/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H"
From
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords
:-
> H Makes pcre match on the HTTP-header. H can be combined with /R. Note that R is relative to the
> previous match so both matches have to be in the HTTP-header body.
plus several others!
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-users
mailing list