PCRE Syntax
To match the feature string in the traffic using the regular expression, you can use the **pcre** field. The format example is as follows: ``` pcre: “/<regex>/[options][extend]”; ``` In the preceding example, **<regex>** is the regular expression string, **[options]** is the attachment item, and **[extend]** is the extended syntax. The regular expression string can be written in hexadecimal format. For example, if you enter **<CR><LF>** (carriage return or linefeed), the value can be represented in hexadecimal format, that is, **\x0d\x0a**. Options supported by options | Option | Description | | ---- | ------------------------------------------------------------ | | i | Case-insensitive in regular expression matching. | | s | The linefeed is not checked. | | m | If **m** is set, `^` and `$` are processed as the row header and tail. Otherwise, `^` and `$` are processed as the payload header and tail. | | A | Pattern string matching starts in the beginning of the data (same as `^`). | | E | Pattern string matching stops at the end of the data. | | G | The greedy mode is not used by default. | | R | Relative detection flag. The current feature matches the data from the end position of the previous feature. | The **extend** field is used to specify the mode matching in a specific protocol field. When the **extend** field is not written, the mode matching is performed in the TCP/UDP Payload or file content by default. The **extend** field can be written using either of the following methods: The first method is to use a single letter to identify the HTTP protocol field. The following table lists the supported fields. | Option | Description | | ---- | ---------------- | | U | http_uri | | V | http_user_agent | | W | http_host | | H | http_header | | I | http_raw_uri | | M | http_method | | C | http_cookie | | P | http_client_body | | Q | http_server_body | | Y | http_stat_msg | | S | http_stat_code | For example, the following rule indicates that the **^helloworld** is matched in regular expression mode in the HTTP URI in case-insensitive mode: ``` pcre: "/^helloworld/iU"; ``` The second method is more common and supports regular expression matching for more protocols and protocol fields. The writing format is <font color =red>#[Protocol name]#[Field name] </font>. All CONTENT protocol fields of the third-generation engine support regular expression matching using this writing format. Example: ``` pcre: "/^helloworld/#DNS#QUERY"; ``` It indicates that the regular expression matching is performed for **^helloworld** in the **dns_query** field of the DNS protocol. **DNS** is the protocol name, and **QUERY** is the name of the PCRE extension field corresponding to the **dns_query** field. The method of writing the PCRE field of common protocol fields will be described in detail in the chapter of protocol fields.