IDS Signatures – PCRE Into

I am trying to understand IDS signature, but always run into a roadblock with PCRE. Is anyone aware of a cheatsheet or site that may help with understanding regular expression? I’ve found good PCRE Regex cheetsheets but the syntax in the rules doesn’t aways match. For example I am trying to understand the regex of this rule:

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any ( msg:\”ET
ATTACK_RESPONSE Output of id command from HTTP server\”;
flow:established; content:\”uid=\”; pcre:\”/^\d+[^\r\n\s]+/R\”;
content:\” gid=\”; within:5; pcre:\”/^\d+[^\r\n\s]+/R\”;
content:\” groups=\”; within:8; classtype:bad-unknown; sid:2019284;
tag:session,5,packets; rev:1; )

More specifically, could someone walk me through the PCRE elements?

pcre:\”/^\d+[^\r\n\s]+/R\”

pcre:\”/^\d+[^\r\n\s]+/R\”

Any help would be appreciated.

Thank You!

Continue reading IDS Signatures – PCRE Into