<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Thank you for the reply Peter.<div class=""><br class=""></div><div class="">Yes,   Same results.</div><div class=""><br class=""><div><div style="margin: 0px; font-stretch: normal; font-size: 15px; line-height: normal; font-family: "Andale Mono"; color: rgb(47, 255, 18); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">[root@newfw ~]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -S /dev/null -i eth1</span></div><div style="margin: 0px; font-stretch: normal; font-size: 15px; line-height: normal; font-family: "Andale Mono"; color: rgb(159, 160, 28); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures; color: #2fb41d" class="">1/1/2019 -- 04:33:29</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class=""> - <</span><span style="font-variant-ligatures: no-common-ligatures" class="">Notice</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class="">> - </span><span style="font-variant-ligatures: no-common-ligatures" class="">This is Suricata version 4.1.2 RELEASE</span></div><div style="margin: 0px; font-stretch: normal; font-size: 15px; line-height: normal; font-family: "Andale Mono"; color: rgb(180, 36, 25); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures; color: #2fb41d" class="">1/1/2019 -- 04:33:29</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class=""> - <</span><span style="font-variant-ligatures: no-common-ligatures" class="">Error</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class="">> - [</span><span style="font-variant-ligatures: no-common-ligatures; color: #9fa01c" class="">ERRCODE</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class="">: </span><span style="font-variant-ligatures: no-common-ligatures" class="">SC_ERR_PCRE_COMPILE</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class="">(</span><span style="font-variant-ligatures: no-common-ligatures; color: #9fa01c" class="">5</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class="">)] - </span><span style="font-variant-ligatures: no-common-ligatures" class="">pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported</span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class="">Offset 12 seems to indicate the plus character so I changed every instance to {1,} and still get the same basic error.</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 15px; line-height: normal; font-family: "Andale Mono"; color: rgb(47, 255, 18); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">[root@newfw ~]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -S /dev/null -i eth1</span></div><div style="margin: 0px; font-stretch: normal; font-size: 15px; line-height: normal; font-family: "Andale Mono"; color: rgb(159, 160, 28); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures; color: #2fb41d" class="">1/1/2019 -- 04:33:29</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class=""> - <</span><span style="font-variant-ligatures: no-common-ligatures" class="">Notice</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class="">> - </span><span style="font-variant-ligatures: no-common-ligatures" class="">This is Suricata version 4.1.2 RELEASE</span></div><div style="margin: 0px; font-stretch: normal; font-size: 15px; line-height: normal; font-family: "Andale Mono"; color: rgb(180, 36, 25); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures; color: #2fb41d" class="">1/1/2019 -- 04:33:29</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class=""> - <</span><span style="font-variant-ligatures: no-common-ligatures" class="">Error</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class="">> - [</span><span style="font-variant-ligatures: no-common-ligatures; color: #9fa01c" class="">ERRCODE</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class="">: </span><span style="font-variant-ligatures: no-common-ligatures" class="">SC_ERR_PCRE_COMPILE</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class="">(</span><span style="font-variant-ligatures: no-common-ligatures; color: #9fa01c" class="">5</span><span style="font-variant-ligatures: no-common-ligatures; color: #2fff12" class="">)] - </span><span style="font-variant-ligatures: no-common-ligatures" class="">pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported</span></div></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Thanks for thought.   Maybe multiple python regex libraries?    I know it must be me because no one else seems to have this issue.</span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class=""><br class=""></span></div><div class=""><span style="font-variant-ligatures: no-common-ligatures" class="">Matt.</span></div><div class=""><br class=""></div><blockquote type="cite" class=""><div class="">On Jan 1, 2019, at 4:14 AM, Peter Manev <<a href="mailto:petermanev@gmail.com" class="">petermanev@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="content-type" content="text/html; charset=utf-8" class=""><div dir="auto" class=""><br class=""><div dir="ltr" class=""><br class="">On 30 Dec 2018, at 16:57, MATT DOUgherty <<a href="mailto:doughertysnp@gmail.com" class="">doughertysnp@gmail.com</a>> wrote:<br class=""><br class=""></div><blockquote type="cite" class=""><div dir="ltr" class=""><meta http-equiv="Content-Type" content="text/html; charset=us-ascii" class=""><div class="">I get a PCRE compile error that prevents any other interesting log data.   Does anyone have an idea of that the could be?</div><div class=""><br class=""></div><div class="">This is a clean install from source on CENTOS 6.10 with several versions of Suricata.  I have snort installed.  Is the existing snort install messing it up?</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Andale Mono"; color: rgb(47, 255, 18); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">[root@newfw suricata-4.1.2]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Andale Mono"; color: rgb(47, 255, 18); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">30/12/2018 -- 04:51:07 - <Notice> - This is Suricata version 4.1.2 RELEASE</span></div><div style="margin: 0px; font-stretch: normal; font-size: 14px; line-height: normal; font-family: "Andale Mono"; color: rgb(47, 255, 18); background-color: rgba(0, 0, 0, 0.901961);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">30/12/2018 -- 04:51:07 - <Error> - [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported</span></div></div></div></blockquote><blockquote type="cite" class=""><div dir="ltr" class=""><span class="">____</span></div></blockquote><div class=""><br class=""></div><div class="">Do you have the same error if you start/load with 0 rules ? (You can try adding “-S /dev/null” to the starting line, could be rule related I was thinking )</div><div class=""><br class=""></div><div class=""><br class=""></div><br class=""><blockquote type="cite" class=""><div dir="ltr" class=""><span class="">___________________________________________</span><br class=""><span class="">Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" class="">oisf-users@openinfosecfoundation.org</a></span><br class=""><span class="">Site: <a href="http://suricata-ids.org/" class="">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" class="">http://suricata-ids.org/support/</a></span><br class=""><span class="">List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" class="">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br class=""><span class=""></span><br class=""><span class="">Conference: <a href="https://suricon.net/" class="">https://suricon.net</a></span><br class=""><span class="">Trainings: <a href="https://suricata-ids.org/training/" class="">https://suricata-ids.org/training/</a></span></div></blockquote></div></div></blockquote></div><br class=""></div></body></html>