<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">That pcre is present in detect-engine-event.c (<a href="https://github.com/OISF/suricata/blob/16643befe7bebb9736d44f3a02efdf71135a7b84/src/detect-engine-event.c#L45">https://github.com/OISF/suricata/blob/16643befe7bebb9736d44f3a02efdf71135a7b84/src/detect-engine-event.c#L45</a>), so the error is likely coming from detect-parse.c at <a href="https://github.com/OISF/suricata/blob/b51e4a395978889fabba99287261a616aa8cd37a/src/detect-parse.c#L2286">https://github.com/OISF/suricata/blob/b51e4a395978889fabba99287261a616aa8cd37a/src/detect-parse.c#L2286</a>.</div><div dir="ltr"><br></div><div>At a glance it looks like this could happen without signatures loaded, but am not positive.</div><div dir="ltr"><br><div><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;white-space:nowrap">-- </span></div><div dir="ltr"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;font-weight:bold;white-space:nowrap">Eric Urban</span><br></div><div dir="ltr"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University Information Security | Office of Information Technology | </span><a href="http://it.umn.edu/" style="color:rgb(17,85,204);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap" target="_blank">it.umn.edu</a><br style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"><span style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap">University of Minnesota | </span><a href="http://umn.edu/" style="color:rgb(17,85,204);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap" target="_blank">umn.edu</a><br style="color:rgb(0,0,0);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap"><a href="mailto:eurban@umn.edu" style="color:rgb(17,85,204);font-family:"Helvetica Neue",Helvetica,sans-serif;font-size:small;line-height:17.29px;white-space:nowrap" target="_blank">eurban@umn.edu</a><font face="verdana, sans-serif" style="color:rgb(136,136,136);font-size:12.8px"><br></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jan 1, 2019 at 8:40 AM MATT DOUgherty <<a href="mailto:doughertysnp@gmail.com">doughertysnp@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;">Thank you for the reply Peter.<div><br></div><div>Yes,   Same results.</div><div><br><div><div style="margin:0px;font-stretch:normal;font-size:15px;line-height:normal;font-family:"Andale Mono";color:rgb(47,255,18);background-color:rgba(0,0,0,0.9)"><span style="font-variant-ligatures:no-common-ligatures">[root@newfw ~]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -S /dev/null -i eth1</span></div><div style="margin:0px;font-stretch:normal;font-size:15px;line-height:normal;font-family:"Andale Mono";color:rgb(159,160,28);background-color:rgba(0,0,0,0.9)"><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,180,29)">1/1/2019 -- 04:33:29</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)"> - <</span><span style="font-variant-ligatures:no-common-ligatures">Notice</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)">> - </span><span style="font-variant-ligatures:no-common-ligatures">This is Suricata version 4.1.2 RELEASE</span></div><div style="margin:0px;font-stretch:normal;font-size:15px;line-height:normal;font-family:"Andale Mono";color:rgb(180,36,25);background-color:rgba(0,0,0,0.9)"><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,180,29)">1/1/2019 -- 04:33:29</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)"> - <</span><span style="font-variant-ligatures:no-common-ligatures">Error</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)">> - [</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(159,160,28)">ERRCODE</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)">: </span><span style="font-variant-ligatures:no-common-ligatures">SC_ERR_PCRE_COMPILE</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)">(</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(159,160,28)">5</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)">)] - </span><span style="font-variant-ligatures:no-common-ligatures">pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported</span></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div>Offset 12 seems to indicate the plus character so I changed every instance to {1,} and still get the same basic error.</div><div><br></div><div><div style="margin:0px;font-stretch:normal;font-size:15px;line-height:normal;font-family:"Andale Mono";color:rgb(47,255,18);background-color:rgba(0,0,0,0.9)"><span style="font-variant-ligatures:no-common-ligatures">[root@newfw ~]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -S /dev/null -i eth1</span></div><div style="margin:0px;font-stretch:normal;font-size:15px;line-height:normal;font-family:"Andale Mono";color:rgb(159,160,28);background-color:rgba(0,0,0,0.9)"><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,180,29)">1/1/2019 -- 04:33:29</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)"> - <</span><span style="font-variant-ligatures:no-common-ligatures">Notice</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)">> - </span><span style="font-variant-ligatures:no-common-ligatures">This is Suricata version 4.1.2 RELEASE</span></div><div style="margin:0px;font-stretch:normal;font-size:15px;line-height:normal;font-family:"Andale Mono";color:rgb(180,36,25);background-color:rgba(0,0,0,0.9)"><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,180,29)">1/1/2019 -- 04:33:29</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)"> - <</span><span style="font-variant-ligatures:no-common-ligatures">Error</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)">> - [</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(159,160,28)">ERRCODE</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)">: </span><span style="font-variant-ligatures:no-common-ligatures">SC_ERR_PCRE_COMPILE</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)">(</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(159,160,28)">5</span><span style="font-variant-ligatures:no-common-ligatures;color:rgb(47,255,18)">)] - </span><span style="font-variant-ligatures:no-common-ligatures">pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported</span></div></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures:no-common-ligatures">Thanks for thought.   Maybe multiple python regex libraries?    I know it must be me because no one else seems to have this issue.</span></div><div><span style="font-variant-ligatures:no-common-ligatures"><br></span></div><div><span style="font-variant-ligatures:no-common-ligatures">Matt.</span></div><div><br></div><blockquote type="cite"><div>On Jan 1, 2019, at 4:14 AM, Peter Manev <<a href="mailto:petermanev@gmail.com" target="_blank">petermanev@gmail.com</a>> wrote:</div><br class="gmail-m_8527614825359492696Apple-interchange-newline"><div><div dir="auto"><br><div dir="ltr"><br>On 30 Dec 2018, at 16:57, MATT DOUgherty <<a href="mailto:doughertysnp@gmail.com" target="_blank">doughertysnp@gmail.com</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr"><div>I get a PCRE compile error that prevents any other interesting log data.   Does anyone have an idea of that the could be?</div><div><br></div><div>This is a clean install from source on CENTOS 6.10 with several versions of Suricata.  I have snort installed.  Is the existing snort install messing it up?</div><div><br></div><div><br></div><div><div style="margin:0px;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Andale Mono";color:rgb(47,255,18);background-color:rgba(0,0,0,0.9)"><span style="font-variant-ligatures:no-common-ligatures">[root@newfw suricata-4.1.2]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1</span></div><div style="margin:0px;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Andale Mono";color:rgb(47,255,18);background-color:rgba(0,0,0,0.9)"><span style="font-variant-ligatures:no-common-ligatures">30/12/2018 -- 04:51:07 - <Notice> - This is Suricata version 4.1.2 RELEASE</span></div><div style="margin:0px;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Andale Mono";color:rgb(47,255,18);background-color:rgba(0,0,0,0.9)"><span style="font-variant-ligatures:no-common-ligatures">30/12/2018 -- 04:51:07 - <Error> - [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported</span></div></div></div></blockquote><blockquote type="cite"><div dir="ltr"><span>____</span></div></blockquote><div><br></div><div>Do you have the same error if you start/load with 0 rules ? (You can try adding “-S /dev/null” to the starting line, could be rule related I was thinking )</div><div><br></div><div><br></div><br><blockquote type="cite"><div dir="ltr"><span>___________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org/" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span></span><br><span>Conference: <a href="https://suricon.net/" target="_blank">https://suricon.net</a></span><br><span>Trainings: <a href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a></span></div></blockquote></div></div></blockquote></div><br></div></div>_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>