[Oisf-devel] PCRE '/R' bug?
Harley H
bobb.harley at gmail.com
Fri Jan 31 21:40:04 UTC 2014
Hello,
I was going to submit this through Redmine but I'm not receiving the
account activation email. I'm trying to write a rule like this:
alert tcp $HOME_NET any -> $EXTERNAL_NET $WEB_PORTS (msg: "Testing Rule";
content: "baduricontent"; http_raw_uri; pcre: "/[a-z]{5}.html"/R"; sid:
123; rev: 1;)
But am receiving this error message:
31/1/2014 -- 16:19:25 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
No preceding content or uricontent or pcre option
31/1/2014 -- 16:19:25 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:
"Testing URL"; content: "baduricontent"; http_raw_uri; pcre:
"/[a-z]{5}\.html/R"; sid: 98765; rev: 1;)" from file
/root/Desktop/Local_Workspace/IDS_Rules/testing.rules at line 1
When I get rid of 'http_raw_uri' and replace that 'content' with
'uricontent' the same error message is produced.
-Harley
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20140131/cfafd16f/attachment.html>
More information about the Oisf-devel
mailing list