[Oisf-devel] PCRE '/R' bug?

Anoop Saldanha anoopsaldanha at gmail.com
Mon Feb 3 10:18:52 UTC 2014


rmkml,

If that specific case isn't firing, that's a bug indeed.  Can you
please open a ticket for it?

On Sat, Feb 1, 2014 at 3:58 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi Harley,
>
> Yes it's not work on Suricata v1.4.7 but fire on v2.0 beta 2.
>
>
> oisf-devel: But maybe you have another bug on Suricata v2.0 beta 2, I'm
> explain:
>  If you add ^ on pcre begin, suricata not fire with this uri:
> baduricontentabcde.html
> (It's fire on snort)
>
> fire on suri v2:
> alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";
> http_raw_uri; pcre:"/[a-z]{5}\.html/R"; sid:1; rev:2;)
>
> not fire on suri v2:
> alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";
> http_raw_uri; pcre:"/^[a-z]{5}\.html/R"; sid:2; rev:2;)
>
> Tested with: wget http://google.com/baduricontentabcde.html
> (joigned pcap file)
>
> Anyone confirm please ?
>
> Regards
> @Rmkml
>
>
>
>
>
> On Fri, 31 Jan 2014, Harley H wrote:
>
>> Good catch but that's a typo. I typed the rule in vice copying/pasting
>> like I should have.
>>
>>
>> On Fri, Jan 31, 2014 at 5:02 PM, Edward Fjellskål
>> <edwardfjellskaal at gmail.com> wrote:
>>       -----BEGIN PGP SIGNED MESSAGE-----
>>       Hash: SHA1
>>
>>       "/[a-z]{5}.html"/R"
>>
>>
>> is there a " to much?
>>
>> E
>>
>> On 01/31/2014 10:40 PM, Harley H wrote:
>> > Hello, I was going to submit this through Redmine but I'm not
>> > receiving the account activation email. I'm trying to write a rule
>> > like this:
>> >
>> > alert tcp $HOME_NET any -> $EXTERNAL_NET $WEB_PORTS (msg: "Testing
>> > Rule"; content: "baduricontent"; http_raw_uri; pcre:
>> > "/[a-z]{5}.html"/R"; sid: 123; rev: 1;)
>> >
>> > But am receiving this error message:
>> >
>> > 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
>> > SC_ERR_INVALID_SIGNATURE(39)] - No preceding content or uricontent
>> > or pcre option 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
>> > SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
>> > $HOME_NET any -> $EXTERNAL_NET any (msg: "Testing URL"; content:
>> > "baduricontent"; http_raw_uri; pcre: "/[a-z]{5}\.html/R"; sid:
>> > 98765; rev: 1;)" from file
>> > /root/Desktop/Local_Workspace/IDS_Rules/testing.rules at line 1
>> >
>> >
>> > When I get rid of 'http_raw_uri' and replace that 'content' with
>> > 'uricontent' the same error message is produced.
>> >
>> > -Harley
>> >
>> >
>> >
>> > _______________________________________________ Suricata IDS Devel
>> > mailing list: oisf-devel at openinfosecfoundation.org Site:
>> > http://suricata-ids.org | Participate:
>> > http://suricata-ids.org/participate/ List:
>> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> >
>> >
>> Redmine: https://redmine.openinfosecfoundation.org/
>> >
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>>
>> iQEcBAEBAgAGBQJS7B1gAAoJEAf3kNGaI009hbcH/jhJLiiAvJsaotlvurDnST9Q
>> 0TZ/VH7bVXV5hH59zw0hSM9XZppzaNXuoPtUAGeFU4Mp4ZsAvy3W404FmYjMN9/7
>> QcqCl/Fx5Yw2+ZqmNo3bgo0kjC0vQ9n4YnsGg2d6HY5Dn1jNTNAZQ2W49fzRfqHw
>> BLFCdFWGD8Kkd+iDoXL8bmfvIL2G71oIEIA8VKC7CnBNQaoAcMpTvsK6nxfY1iGk
>> /aPfMGwRcIHSbKclQAUKZGb3fChmNqDQhM1xJbBGdjaIsXpofAfslbFFhZxCjjd6
>> 52kIoVJgh8SmU+tHmyEoOqe5mVxpH75hsnB8i7fIdp7uVKYO1ivrMswQ5hV31Lo=
>> =Tsxj
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Participate:
>> http://suricata-ids.org/participate/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
>> Redmine: https://redmine.openinfosecfoundation.org/
>>
>>
>>
>
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate:
> http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/



-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------


More information about the Oisf-devel mailing list