<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Carl, I found this to work for me using Suricata 4.1 and vanilla flavored PCRE 8.38-3.1:</div><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr">alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Test UTF-8"; flow:established,to_server; pcre:"/\xe6\x8a\x95/"; classtype:unknown; sid:1003818; rev:1;)</div><div dir="ltr"># 01/22/2019-10:59:03.408638 [**] [1:1003818:1] Test UTF-8 [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} <a href="http://192.168.1.22:49528">192.168.1.22:49528</a> -> <a href="http://128.123.123.203:8888">128.123.123.203:8888</a></div><div dir="ltr"><br></div><div dir="ltr">alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Test UTF-8"; flow:established,to_server; content:"|e6 8a 95|"; classtype:unknown; sid:1003819; rev:1;)</div><div dir="ltr"># 01/22/2019-10:59:04.993260 [**] [1:1003819:1] Test UTF-8 [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} <a href="http://192.168.1.22:49528">192.168.1.22:49528</a> -> <a href="http://128.123.123.203:8888">128.123.123.203:8888</a></div><div dir="ltr"><br></div><div dir="ltr">alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Test UTF-16"; flow:established,to_server; pcre:"/投/"; classtype:unknown; sid:1003821; rev:1;)</div><div dir="ltr"># 01/22/2019-10:59:03.935684 [**] [1:1003821:1] Test UTF-16 [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} <a href="http://192.168.1.22:49528">192.168.1.22:49528</a> -> <a href="http://128.123.123.203:8888">128.123.123.203:8888</a></div><div dir="ltr"><br></div><div dir="ltr"><div dir="ltr">alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Test UTF-16"; flow:established,to_server; content:"投"; classtype:unknown; sid:1003822; rev:1;)</div><div dir="ltr"># 01/22/2019-10:59:03.408638 [**] [1:1003822:1] Test UTF-16 [**] [Classification: Unknown Traffic] [Priority: 3] {TCP} <a href="http://192.168.1.22:49528">192.168.1.22:49528</a> -> <a href="http://128.123.123.203:8888">128.123.123.203:8888</a></div></div><div><br></div><div>Hope that helps,<br></div><div>-Travis </div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jan 22, 2019 at 9:37 AM carl rizzle <<a href="mailto:rizzlecarl@gmail.com">rizzlecarl@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><font face="arial, helvetica, sans-serif">I am currently running Suricata-4.0.0 with pcre version 8.42. </font></div><div dir="ltr"><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">I compiled pcre version 8.42 as follows:</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif">./configure --prefix=/usr \</font></span></p>
<p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"> --docdir=/usr/share/doc/pcre-8.42 \</font></span></p>
<p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"> --enable-unicode-properties \</font></span></p>
<p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"> --enable-pcre16 \</font></span></p>
<p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"> --enable-pcre32 \</font></span></p>
<p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"> --enable-pcregrep-libz \</font></span></p>
<p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"> --enable-pcregrep-libbz2 \</font></span></p>
<p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"> --disable-static \</font></span></p>
<p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"> --enable-pcretest-libreadline \</font></span></p>
<p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"> --enable-utf8</font></span></p><p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><font face="arial, helvetica, sans-serif"><br></font></p><p style="margin:0px;line-height:normal"><font face="arial, helvetica, sans-serif"><span style="color:rgb(0,0,0);font-size:11px">...and ran make </span></font></p><p style="margin:0px;line-height:normal"><font face="arial, helvetica, sans-serif"><span style="color:rgb(0,0,0);font-size:11px"><br></span></font></p><p style="margin:0px;line-height:normal"><font face="arial, helvetica, sans-serif"><span style="color:rgb(0,0,0);font-size:11px">Suricata was compiled as follows:</span></font></p><p style="margin:0px;line-height:normal"><font face="arial, helvetica, sans-serif"><span style="color:rgb(0,0,0);font-size:11px"><br></span></font></p><p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif">./configure with_libpcre_includes=/root/suricata-4.0.0/pcre-8.42/ with_libpcre_libraries=/root/suricata-4.0.0/pcre-8.42/.libs/</font></span></p><p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"><br></font></span></p><p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif">...and ran make && make install </font></span></p><p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"><br></font></span></p><p style="margin:0px;line-height:normal"><font face="arial, helvetica, sans-serif"><font color="#000000"><span style="font-size:11px">My goal is to make a rule that matches on the Chinese character: </span></font></font><span style="color:rgb(0,0,0);font-family:Menlo;font-size:11px">投</span></p><p style="margin:0px;line-height:normal"><font face="arial, helvetica, sans-serif"><span style="color:rgb(0,0,0);font-size:11px">I created a rule that matches on utf-8 characters (i.e. pcre:"/\xe6\x8a\95/") as well as utf-16</span></font></p><p style="margin:0px;line-height:normal"><font face="arial, helvetica, sans-serif"><font color="#000000"><span style="font-size:11px">(i.e. pcre:"/\X{6295}/"). Suricata accepted both rules but none of them matched the character </span></font></font></p><p style="margin:0px;line-height:normal"><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:11px">that I know is in my sample data. Any Idea if my PCRE expression is incorrect or if I configured Suricata </span></font></p><p style="margin:0px;line-height:normal"><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:11px">incorrectly? Are there other encoding formats that I am missing? </span></font></p><p style="margin:0px;line-height:normal"><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:11px"><br></span></font></p><p style="margin:0px;line-height:normal"><font color="#000000" face="arial, helvetica, sans-serif"><span style="font-size:11px">Thanks</span></font></p><p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"><br></font></span></p><p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><br></p><p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><span style="font-variant-ligatures:no-common-ligatures"><font face="arial, helvetica, sans-serif"><br></font></span></p><p style="margin:0px;font-size:11px;line-height:normal;color:rgb(0,0,0)"><br></p></div></div></div></div></div></div></div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">PGP: ABE625E6<br><a href="http://keybase.io/travisbgreen" target="_blank">keybase.io/travisbgreen</a></div>