[Oisf-devel] Suricata v0.8.0 and pcre unknown regex modifier '/' error
Victor Julien
victor at inliniac.net
Sat Jan 2 18:14:38 UTC 2010
Hi rmkml, the signature looks valid so there must be a bug on our end.
I've added a ticket:
https://redmine.openinfosecfoundation.org/issues/show/40
Thanks for the report!
Cheers,
Victor
rmkml wrote:
> Hi,
> After small testing, I have a small question with this signature:
> alert tcp any any -> any any (msg:"test"; pcre:!"/MODE/m"; sid:987654321; rev:1;)
> If I start suricata:
> ./suricata080beta -c suricata.yaml -r test.pcap --init-errors-fatal
> ...
> [14876] 2/1/2010 -- 18:52:58 - (detect.c:327) <Info> (SigLoadSignatures) -- Loading rule file: /home/test/snort/rules/chat2.rules
> DetectPcreParse: unknown regex modifier '/'
> [14876] 2/1/2010 -- 18:52:58 - (detect-parse.c:811) <Error> (SigInitReal)
> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(19)] - Signature init failed "alert tcp any any -> any any (msg:"test"; pcre:!"/MODE/m"; sid:987654321; rev:1;)
>
> I have same pb with signature variant:
> alert tcp any any -> any any (msg:"test"; pcre:!"/MODE/i"; sid:987654321; rev:1;)
>
> ok this signature it's not good for production use (signature simplified for demonstrated pcre error), but error it's not appear on snort, maybe it's a suricata bug? Regars
> Rmkml
> Crusoe-Researches.com
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-devel
mailing list