[Oisf-users] Suricata versions (4.1.2 and 3.1) will not run after initial install on CENTOS 6.10 with SC_ERR_PCRE_COMPILE error

Peter Manev petermanev at gmail.com
Wed Jan 9 13:31:46 UTC 2019 

On Tue, Jan 1, 2019 at 11:37 PM MATT DOUgherty <doughertysnp at gmail.com> wrote:
>
> Attaching a debug file with some repetitive lines removed << >>.
>
> Not sure if the attachment will go through.    I specify a signature file that I know exists and I get the same thing.   strace shows it never even tries to open the sig file.
>

Seems it is working/loading up  fine on CentOS 6 here
[root at ca2ed7de11d6 suricata]# suricata -i eth0 -S
/etc/suricata/emerging-all.rules  -T
9/1/2019 -- 13:29:23 - <Info> - Running suricata under test mode
9/1/2019 -- 13:29:23 - <Notice> - This is Suricata version 4.1.2 RELEASE
9/1/2019 -- 13:29:25 - <Notice> - Configuration provided was
successfully loaded. Exiting.
[root at ca2ed7de11d6 suricata]# cat /etc/centos-release
CentOS release 6.10 (Final)
[root at ca2ed7de11d6 suricata]#

So it may be related to other pkgs or installs interfering i suspect.


> Matt.
>
>
> On Jan 1, 2019, at 2:27 PM, Eric Urban <eurban at umn.edu> wrote:
>
> That pcre is present in detect-engine-event.c (https://github.com/OISF/suricata/blob/16643befe7bebb9736d44f3a02efdf71135a7b84/src/detect-engine-event.c#L45), so the error is likely coming from detect-parse.c at https://github.com/OISF/suricata/blob/b51e4a395978889fabba99287261a616aa8cd37a/src/detect-parse.c#L2286.
>
> At a glance it looks like this could happen without signatures loaded, but am not positive.
>
> --
> Eric Urban
> University Information Security | Office of Information Technology | it.umn.edu
> University of Minnesota | umn.edu
> eurban at umn.edu
>
>
> On Tue, Jan 1, 2019 at 8:40 AM MATT DOUgherty <doughertysnp at gmail.com> wrote:
>>
>> Thank you for the reply Peter.
>>
>> Yes,   Same results.
>>
>> [root at newfw ~]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -S /dev/null -i eth1
>> 1/1/2019 -- 04:33:29 - <Notice> - This is Suricata version 4.1.2 RELEASE
>> 1/1/2019 -- 04:33:29 - <Error> - [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported
>>
>> Offset 12 seems to indicate the plus character so I changed every instance to {1,} and still get the same basic error.
>>
>> [root at newfw ~]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -S /dev/null -i eth1
>> 1/1/2019 -- 04:33:29 - <Notice> - This is Suricata version 4.1.2 RELEASE
>> 1/1/2019 -- 04:33:29 - <Error> - [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported
>>
>>
>> Thanks for thought.   Maybe multiple python regex libraries?    I know it must be me because no one else seems to have this issue.
>>
>> Matt.
>>
>> On Jan 1, 2019, at 4:14 AM, Peter Manev <petermanev at gmail.com> wrote:
>>
>>
>>
>> On 30 Dec 2018, at 16:57, MATT DOUgherty <doughertysnp at gmail.com> wrote:
>>
>> I get a PCRE compile error that prevents any other interesting log data.   Does anyone have an idea of that the could be?
>>
>> This is a clean install from source on CENTOS 6.10 with several versions of Suricata.  I have snort installed.  Is the existing snort install messing it up?
>>
>>
>> [root at newfw suricata-4.1.2]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1
>> 30/12/2018 -- 04:51:07 - <Notice> - This is Suricata version 4.1.2 RELEASE
>> 30/12/2018 -- 04:51:07 - <Error> - [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported
>>
>> ____
>>
>>
>> Do you have the same error if you start/load with 0 rules ? (You can try adding “-S /dev/null” to the starting line, could be rule related I was thinking )
>>
>>
>>
>> ___________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>>
>>
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>> Conference: https://suricon.net
>> Trainings: https://suricata-ids.org/training/
>
>


-- 
Regards,
Peter Manev

More information about the Oisf-users mailing list