Victor, it looks like your right. I have multiple libpcre.so files in my ldconfig.<div><br></div><div>I guess i'm just not sure how to fix the problem. I tried apt-get remove libpcre3-devel but it doesn't seem to make a difference.</div>
<div><br></div><div>Thanks!<br><br><div class="gmail_quote">On Wed, Jul 11, 2012 at 5:34 PM, Victor Julien <span dir="ltr"><<a href="mailto:victor@inliniac.net" target="_blank">victor@inliniac.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 07/11/2012 07:56 PM, Brandon Ganem wrote:<br>
> Hi all,<br>
> I'm trying to use signatures with PCRE in them. Looking at my<br>
> suricata.log file I see many entries with the following:<br>
><br>
><br>
> [18575] 11/7/2012 -- 13:22:40 - (detect-pcre.c:949) <Error><br>
> (DetectPcreParse) -- [ERRCODE: SC_ERR_PCRE_STUDY(6)] - pcre study failed<br>
> : unknown or incorrect option bit(s) set<br>
> [18575] 11/7/2012 -- 13:22:40 - (detect.c:547) <Error><br>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error<br>
> parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS<br>
> (msg:"ET WORM AirOS .css Worm Outbound Propagation Sweep";<br>
> flow:established,to_server; content:"/admin.cgi/.gif"; http_uri;<br>
> pcre:"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H";<br>
> reference:url,<a href="http://seclists.org/fulldisclosure/2011/Dec/419" target="_blank">seclists.org/fulldisclosure/2011/Dec/419</a><br>
</div>> <<a href="http://seclists.org/fulldisclosure/2011/Dec/419" target="_blank">http://seclists.org/fulldisclosure/2011/Dec/419</a>>;<br>
> reference:url,<a href="http://www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/" target="_blank">www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/</a><br>
> <<a href="http://www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/" target="_blank">http://www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/</a>>;<br>
<div class="im">> classtype:trojan-activity; sid:2014041; rev:5;)" from file<br>
> /etc/suricata/rules/worm.rules at line 152<br>
><br>
> I've installed pcre with jit enabled as<br>
> per: <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PCRE-JIT" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PCRE-JIT</a><br>
> I<br>
> also referenced: <a href="http://blog.inliniac.net/2011/10/12/suricata-and-pcre-performance/" target="_blank">http://blog.inliniac.net/2011/10/12/suricata-and-pcre-performance/</a><br>
><br>
> Note, As far as I can tell this happens on every sig with PCRE in it.<br>
> Hard to tell. Am I just doing something wrong?<br>
> I'm on the latest GIT, along with pcre 8.31 (I was on 8.20 RC1 as per<br>
> the guide, but I upgraded in an attempt to fix this)<br>
<br>
</div>Seen this error before. It turned out I used headers from 8.31, but<br>
linked against the distro libpcre.<br>
<br>
I'm pretty sure you have either a typo in your --with-libpcre-* or you<br>
have multiple libpcre.so's of different versions in your ld path.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
---------------------------------------------<br>
Victor Julien<br>
<a href="http://www.inliniac.net/" target="_blank">http://www.inliniac.net/</a><br>
PGP: <a href="http://www.inliniac.net/victorjulien.asc" target="_blank">http://www.inliniac.net/victorjulien.asc</a><br>
---------------------------------------------<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
<br>
<br>
_______________________________________________<br>
Oisf-users mailing list<br>
<a href="mailto:Oisf-users@openinfosecfoundation.org">Oisf-users@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
</div></div></blockquote></div><br></div>