I'm trying to generate some traces that can trigger snort's alert to test the performance of snort. But there are some pcre options in some rules that contain /R, which I don't understand.
For example, there's a pcre option in one snort rule pcre: "/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"
, and I don't know what "R" means there. I know "s" is a pcre modifier that can set PCRE_DOTALL. But what about "R"? Is it a modifier too or something else?
I've searched the pcre doc, but I didn't find there's an "R" modifier. So I think it's not a modifier.
Here's an example rule that contains pcre option with /R in it, I got this rule from snort3's community rules.
alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u",depth 1,offset 39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"|5C 00 5C 00|",distance 2,nocase; pcre:!"/^([^\x5C\x00].|[\x5c\x00][^\x00])+\x5C\x00/sR"; metadata:policy max-detect-ips drop; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16403; rev:12; )
The R
modifier is not a native PCRE modifier, it is a Snort specific modifier for PCRE regex, that enables Snort3 to force specific pattern behavior.
See Snort3 "3.5.26.1 Format" documentation:
R Match relative to the end of the last pattern match. (Similar to distance:0;)
...
The modifiers R (relative) and B (rawbytes) are not allowed with any of the HTTP modifiers such as U, I, P, H, D, M, C, K, S and Y.
Note that acc. to Rules Authors Introduction to Writing Snort 3 Rules:
In Snort 2, the post-re modifiers (
B
,U
,P
,H
,M
,C
,I
,D
,K
,S
,Y
) set compile time flags for the regular expression. For example, the Snort specific modifier for pcre U is used to match the decoded URI buffers.
In Snort 3, some of post-re modifiers (B
,U
,P
,H
,M
,C
,I
,D
,K
,S
,Y
) have been deleted in favor of sticky buffers.