
<div dir="ltr">Good catch but that's a typo. I typed the rule in vice copying/pasting like I should have.</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jan 31, 2014 at 5:02 PM, Edward Fjellskål <span dir="ltr"><<a href="mailto:edwardfjellskaal@gmail.com" target="_blank">edwardfjellskaal@gmail.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>

Hash: SHA1<br>

<div class="im"><br>

"/[a-z]{5}.html"/R"<br>

<br>

<br>

</div>is there a " to much?<br>

<br>

E<br>

<div><div class="h5"><br>

On 01/31/2014 10:40 PM, Harley H wrote:<br>

> Hello, I was going to submit this through Redmine but I'm not<br>

> receiving the account activation email. I'm trying to write a rule<br>

> like this:<br>

><br>

> alert tcp $HOME_NET any -> $EXTERNAL_NET $WEB_PORTS (msg: "Testing<br>

> Rule"; content: "baduricontent"; http_raw_uri; pcre:<br>

> "/[a-z]{5}.html"/R"; sid: 123; rev: 1;)<br>

><br>

> But am receiving this error message:<br>

><br>

> 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:<br>

> SC_ERR_INVALID_SIGNATURE(39)] - No preceding content or uricontent<br>

> or pcre option 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:<br>

> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp<br>

> $HOME_NET any -> $EXTERNAL_NET any (msg: "Testing URL"; content:<br>

> "baduricontent"; http_raw_uri; pcre: "/[a-z]{5}\.html/R"; sid:<br>

> 98765; rev: 1;)" from file<br>

> /root/Desktop/Local_Workspace/IDS_Rules/testing.rules at line 1<br>

><br>

><br>

> When I get rid of 'http_raw_uri' and replace that 'content' with<br>

> 'uricontent' the same error message is produced.<br>

><br>

> -Harley<br>

><br>

><br>

><br>

</div></div>> _______________________________________________ Suricata IDS Devel<br>

> mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a> Site:<br>

> <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate:<br>

> <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a> List:<br>

> <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>

><br>

><br>

Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>

><br>

-----BEGIN PGP SIGNATURE-----<br>

Version: GnuPG v1.4.11 (GNU/Linux)<br>

<br>

iQEcBAEBAgAGBQJS7B1gAAoJEAf3kNGaI009hbcH/jhJLiiAvJsaotlvurDnST9Q<br>

0TZ/VH7bVXV5hH59zw0hSM9XZppzaNXuoPtUAGeFU4Mp4ZsAvy3W404FmYjMN9/7<br>

QcqCl/Fx5Yw2+ZqmNo3bgo0kjC0vQ9n4YnsGg2d6HY5Dn1jNTNAZQ2W49fzRfqHw<br>

BLFCdFWGD8Kkd+iDoXL8bmfvIL2G71oIEIA8VKC7CnBNQaoAcMpTvsK6nxfY1iGk<br>

/aPfMGwRcIHSbKclQAUKZGb3fChmNqDQhM1xJbBGdjaIsXpofAfslbFFhZxCjjd6<br>

52kIoVJgh8SmU+tHmyEoOqe5mVxpH75hsnB8i7fIdp7uVKYO1ivrMswQ5hV31Lo=<br>

=Tsxj<br>

-----END PGP SIGNATURE-----<br>

_______________________________________________<br>

Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org">oisf-devel@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/participate/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>

Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.openinfosecfoundation.org/</a><br>

</blockquote></div><br></div>