pcresnort

What does /R mean in snort's pcre rule option?


I'm trying to generate some traces that can trigger snort's alert to test the performance of snort. But there are some pcre options in some rules that contain /R, which I don't understand.

For example, there's a pcre option in one snort rule pcre: "/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR", and I don't know what "R" means there. I know "s" is a pcre modifier that can set PCRE_DOTALL. But what about "R"? Is it a modifier too or something else?

I've searched the pcre doc, but I didn't find there's an "R" modifier. So I think it's not a modifier.

Here's an example rule that contains pcre option with /R in it, I got this rule from snort3's community rules.

alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u",depth 1,offset 39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"|5C 00 5C 00|",distance 2,nocase; pcre:!"/^([^\x5C\x00].|[\x5c\x00][^\x00])+\x5C\x00/sR"; metadata:policy max-detect-ips drop; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16403; rev:12; )


Solution

  • The R modifier is not a native PCRE modifier, it is a Snort specific modifier for PCRE regex, that enables Snort3 to force specific pattern behavior.

    See Snort3 "3.5.26.1 Format" documentation:

    R            Match relative to the end of the last pattern match. (Similar to distance:0;)
    ...
    The modifiers R (relative) and B (rawbytes) are not allowed with any of the HTTP modifiers such as U, I, P, H, D, M, C, K, S and Y.

    Note that acc. to Rules Authors Introduction to Writing Snort 3 Rules:

    In Snort 2, the post-re modifiers (B, U, P, H, M, C, I, D, K, S, Y) set compile time flags for the regular expression. For example, the Snort specific modifier for pcre U is used to match the decoded URI buffers.

    In Snort 3, some of post-re modifiers (B, U, P, H, M, C, I, D, K, S, Y) have been deleted in favor of sticky buffers.