<div dir="ltr">You need to specify relative pcre matches like this, then it works... Note the "I".<div><br></div><div><div>alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent"; http_raw_uri; pcre:"/^[a-z]{5}\.html/IR"; sid:2; rev:2;)</div>
</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Feb 4, 2014 at 9:50 AM, rmkml <span dir="ltr"><<a href="mailto:rmkml@yahoo.fr" target="_blank">rmkml@yahoo.fr</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Thx Anoop,<br>
<br>
opened Suricata redmine ticket #1098.<br>
<br>
Thx for your time.<br>
@Rmkml<div><div class="h5"><br>
<br>
<br>
On Mon, 3 Feb 2014, Anoop Saldanha wrote:<br>
<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
rmkml,<br>
<br>
If that specific case isn't firing, that's a bug indeed. Can you<br>
please open a ticket for it?<br>
<br>
On Sat, Feb 1, 2014 at 3:58 AM, rmkml <<a href="mailto:rmkml@yahoo.fr" target="_blank">rmkml@yahoo.fr</a>> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
Hi Harley,<br>
<br>
Yes it's not work on Suricata v1.4.7 but fire on v2.0 beta 2.<br>
<br>
<br>
oisf-devel: But maybe you have another bug on Suricata v2.0 beta 2, I'm<br>
explain:<br>
If you add ^ on pcre begin, suricata not fire with this uri:<br>
baduricontentabcde.html<br>
(It's fire on snort)<br>
<br>
fire on suri v2:<br>
alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";<br>
http_raw_uri; pcre:"/[a-z]{5}\.html/R"; sid:1; rev:2;)<br>
<br>
not fire on suri v2:<br>
alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";<br>
http_raw_uri; pcre:"/^[a-z]{5}\.html/R"; sid:2; rev:2;)<br>
<br>
Tested with: wget <a href="http://google.com/baduricontentabcde.html" target="_blank">http://google.com/<u></u>baduricontentabcde.html</a><br>
(joigned pcap file)<br>
<br>
Anyone confirm please ?<br>
<br>
Regards<br>
@Rmkml<br>
<br>
<br>
<br>
<br>
<br>
On Fri, 31 Jan 2014, Harley H wrote:<br>
<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
Good catch but that's a typo. I typed the rule in vice copying/pasting<br>
like I should have.<br>
<br>
<br></div></div>
On Fri, Jan 31, 2014 at 5:02 PM, Edward Fjellsk?l<div><div class="h5"><br>
<<a href="mailto:edwardfjellskaal@gmail.com" target="_blank">edwardfjellskaal@gmail.com</a>> wrote:<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
"/[a-z]{5}.html"/R"<br>
<br>
<br>
is there a " to much?<br>
<br>
E<br>
<br>
On 01/31/2014 10:40 PM, Harley H wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello, I was going to submit this through Redmine but I'm not<br>
receiving the account activation email. I'm trying to write a rule<br>
like this:<br>
<br>
alert tcp $HOME_NET any -> $EXTERNAL_NET $WEB_PORTS (msg: "Testing<br>
Rule"; content: "baduricontent"; http_raw_uri; pcre:<br>
"/[a-z]{5}.html"/R"; sid: 123; rev: 1;)<br>
<br>
But am receiving this error message:<br>
<br>
31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:<br>
SC_ERR_INVALID_SIGNATURE(39)] - No preceding content or uricontent<br>
or pcre option 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:<br>
SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp<br>
$HOME_NET any -> $EXTERNAL_NET any (msg: "Testing URL"; content:<br>
"baduricontent"; http_raw_uri; pcre: "/[a-z]{5}\.html/R"; sid:<br>
98765; rev: 1;)" from file<br>
/root/Desktop/Local_Workspace/<u></u>IDS_Rules/testing.rules at line 1<br>
<br>
<br>
When I get rid of 'http_raw_uri' and replace that 'content' with<br>
'uricontent' the same error message is produced.<br>
<br>
-Harley<br>
</blockquote></div></div></blockquote></blockquote></blockquote><div class="HOEnZb"><div class="h5">
______________________________<u></u>_________________<br>
Suricata IDS Devel mailing list: <a href="mailto:oisf-devel@openinfosecfoundation.org" target="_blank">oisf-devel@<u></u>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Participate: <a href="http://suricata-ids.org/participate/" target="_blank">http://suricata-ids.org/<u></u>participate/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">https://lists.<u></u>openinfosecfoundation.org/<u></u>mailman/listinfo/oisf-devel</a><br>
Redmine: <a href="https://redmine.openinfosecfoundation.org/" target="_blank">https://redmine.<u></u>openinfosecfoundation.org/</a><br>
</div></div></blockquote></div><br></div>