Understanding “^” operator in PCRE from Snort Rules

0 投票
最新提问 用户: (120 分)

Snort rules may use pcre, which sometimes starts with "^". It means it starts from the beginning of a string. Here, is the string the "data" part of a TCP packet? As a TCP packet is just a fragment of a longer stream, why the starting point matters?


protocol-voip.rules:# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP CSeq header method mismatch attempt"; flow:to_server; content:"CSeq|3A|"; fast_pattern:only; pcre:"/^(?P[A-Z]+)\s+sip\x3a.*?CSeq\x3a\s+\d+\s+(?!(?P=a))/smi"; reference:url,www.ietf.org/rfc/rfc4475.txt; c lasstype:attempted-dos; sid:20307; rev:2;)

登录 或者 注册 后回答这个问题。

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...