[Oisf-devel] PCRE '/R' bug?

rmkml rmkml at yahoo.fr
Fri Jan 31 22:28:44 UTC 2014 

Hi Harley,

Yes it's not work on Suricata v1.4.7 but fire on v2.0 beta 2.


oisf-devel: But maybe you have another bug on Suricata v2.0 beta 2, I'm explain:
  If you add ^ on pcre begin, suricata not fire with this uri: baduricontentabcde.html
(It's fire on snort)

fire on suri v2:
alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent"; http_raw_uri; pcre:"/[a-z]{5}\.html/R"; sid:1; rev:2;)

not fire on suri v2:
alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent"; http_raw_uri; pcre:"/^[a-z]{5}\.html/R"; sid:2; rev:2;)

Tested with: wget http://google.com/baduricontentabcde.html
(joigned pcap file)

Anyone confirm please ?

Regards
@Rmkml




On Fri, 31 Jan 2014, Harley H wrote:

> Good catch but that's a typo. I typed the rule in vice copying/pasting like I should have.
> 
> 
> On Fri, Jan 31, 2014 at 5:02 PM, Edward Fjellskål <edwardfjellskaal at gmail.com> wrote:
>       -----BEGIN PGP SIGNED MESSAGE-----
>       Hash: SHA1
>
>       "/[a-z]{5}.html"/R"
> 
> 
> is there a " to much?
> 
> E
> 
> On 01/31/2014 10:40 PM, Harley H wrote:
> > Hello, I was going to submit this through Redmine but I'm not
> > receiving the account activation email. I'm trying to write a rule
> > like this:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $WEB_PORTS (msg: "Testing
> > Rule"; content: "baduricontent"; http_raw_uri; pcre:
> > "/[a-z]{5}.html"/R"; sid: 123; rev: 1;)
> >
> > But am receiving this error message:
> >
> > 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
> > SC_ERR_INVALID_SIGNATURE(39)] - No preceding content or uricontent
> > or pcre option 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
> > SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
> > $HOME_NET any -> $EXTERNAL_NET any (msg: "Testing URL"; content:
> > "baduricontent"; http_raw_uri; pcre: "/[a-z]{5}\.html/R"; sid:
> > 98765; rev: 1;)" from file
> > /root/Desktop/Local_Workspace/IDS_Rules/testing.rules at line 1
> >
> >
> > When I get rid of 'http_raw_uri' and replace that 'content' with
> > 'uricontent' the same error message is produced.
> >
> > -Harley
> >
> >
> >
> > _______________________________________________ Suricata IDS Devel
> > mailing list: oisf-devel at openinfosecfoundation.org Site:
> > http://suricata-ids.org | Participate:
> > http://suricata-ids.org/participate/ List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> >
> >
> Redmine: https://redmine.openinfosecfoundation.org/
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> 
> iQEcBAEBAgAGBQJS7B1gAAoJEAf3kNGaI009hbcH/jhJLiiAvJsaotlvurDnST9Q
> 0TZ/VH7bVXV5hH59zw0hSM9XZppzaNXuoPtUAGeFU4Mp4ZsAvy3W404FmYjMN9/7
> QcqCl/Fx5Yw2+ZqmNo3bgo0kjC0vQ9n4YnsGg2d6HY5Dn1jNTNAZQ2W49fzRfqHw
> BLFCdFWGD8Kkd+iDoXL8bmfvIL2G71oIEIA8VKC7CnBNQaoAcMpTvsK6nxfY1iGk
> /aPfMGwRcIHSbKclQAUKZGb3fChmNqDQhM1xJbBGdjaIsXpofAfslbFFhZxCjjd6
> 52kIoVJgh8SmU+tHmyEoOqe5mVxpH75hsnB8i7fIdp7uVKYO1ivrMswQ5hV31Lo=
> =Tsxj
> -----END PGP SIGNATURE-----
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> 
> 
> 
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricatav20beta2httprawuriFN.pcap
Type: application/vnd.tcpdump.pcap
Size: 1613 bytes
Desc: 
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20140131/b638eb32/attachment.pcap>

More information about the Oisf-devel mailing list