git.ipfire.org Git - thirdparty/suricata.git/commit

author	Victor Julien <victor@inliniac.net>
	Fri, 28 Oct 2016 10:27:35 +0000 (12:27 +0200)
committer	Victor Julien <victor@inliniac.net>
	Thu, 16 Feb 2017 09:35:44 +0000 (10:35 +0100)
commit	1ba8c2fe3a7cea32f3045d137ee2f4571f3e8ccc
tree	aab8b8f67c33cd97a2917f3a74b537bd5072d391	tree
parent	0f708d427bbee9708601a8a0557af247a4942f9a	commit \| diff

pcre: new way of specifying var names

Until now the way to specify a var name in pcre substring capture
into pkt and flow vars was to use the pcre named substring support:
e.g. /(?P<pkt_somename>.*)/

This had 2 drawbacks:

1. limitations of the name. The name could be max 32 chars, only have
   alphanumeric and the underscore characters. This imposed limitations
   that are not present in flowbits/ints.

2. we didn't actually use the named substrings in pcre through the
   API. We parsed the names separately. So putting the names in pcre
   would actually be wasteful.

This patch introduces a new way of mapping captures with names:

  pcre:"/(.*)/, pkt:somename";
  pcre:"/([A-z]+) ([0-9]+)/, pkt:somename,flow:anothername";

The order of the captures and the order of the names are mapped 1 on 1.
This method is no longer limited by the pcre API's naming limits. The
'flow:' and 'pkt:' prefixes indicate what the type of variable is. It's
mandatory to specify one.

The old method is still supported as well.