I'm trying to generate some traces that can trigger snort's alert to test the performance of snort. But there are some pcre options in some rules that contain /R, which I don't understand.
For example, there's a pcre option in one snort rule pcre: "/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR", and I don't know what "R" means there. I know "s" is a pcre modifier that can set PCRE_DOTALL. But what about "R"? Is it a modifier too or something else?
I've searched the pcre doc, but I didn't find there's an "R" modifier. So I think it's not a modifier.
Here's an example rule that contains pcre option with /R in it, I got this rule from snort3's community rules.
alert udp $EXTERNAL_NET any -> $HOME_NET 138 ( msg:"OS-WINDOWS Microsoft Windows SMB unicode andx invalid server name share access"; content:"|11|",depth 1; content:"|00|",distance 13; content:"|00|",distance 0; content:"|FF|SMB",within 4,distance 3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u",depth 1,offset 39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"|5C 00 5C 00|",distance 2,nocase; pcre:!"/^([^\x5C\x00].|[\x5c\x00][^\x00])+\x5C\x00/sR"; metadata:policy max-detect-ips drop; reference:cve,2010-0022; reference:url,technet.microsoft.com/en-us/security/bulletin/MS10-012; classtype:protocol-command-decode; sid:16403; rev:12; )
