[Oisf-devel] PCRE '/R' bug?

rmkml rmkml at yahoo.fr
Tue Feb 4 10:50:12 EST 2014


Thx Anoop,

opened Suricata redmine ticket #1098.

Thx for your time.
@Rmkml


On Mon, 3 Feb 2014, Anoop Saldanha wrote:

> rmkml,
>
> If that specific case isn't firing, that's a bug indeed.  Can you
> please open a ticket for it?
>
> On Sat, Feb 1, 2014 at 3:58 AM, rmkml <rmkml at yahoo.fr> wrote:
>> Hi Harley,
>>
>> Yes it's not work on Suricata v1.4.7 but fire on v2.0 beta 2.
>>
>>
>> oisf-devel: But maybe you have another bug on Suricata v2.0 beta 2, I'm
>> explain:
>>  If you add ^ on pcre begin, suricata not fire with this uri:
>> baduricontentabcde.html
>> (It's fire on snort)
>>
>> fire on suri v2:
>> alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";
>> http_raw_uri; pcre:"/[a-z]{5}\.html/R"; sid:1; rev:2;)
>>
>> not fire on suri v2:
>> alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";
>> http_raw_uri; pcre:"/^[a-z]{5}\.html/R"; sid:2; rev:2;)
>>
>> Tested with: wget http://google.com/baduricontentabcde.html
>> (joigned pcap file)
>>
>> Anyone confirm please ?
>>
>> Regards
>> @Rmkml
>>
>>
>>
>>
>>
>> On Fri, 31 Jan 2014, Harley H wrote:
>>
>>> Good catch but that's a typo. I typed the rule in vice copying/pasting
>>> like I should have.
>>>
>>>
>>> On Fri, Jan 31, 2014 at 5:02 PM, Edward Fjellsk?l
>>> <edwardfjellskaal at gmail.com> wrote:
>>>       -----BEGIN PGP SIGNED MESSAGE-----
>>>       Hash: SHA1
>>>
>>>       "/[a-z]{5}.html"/R"
>>>
>>>
>>> is there a " to much?
>>>
>>> E
>>>
>>> On 01/31/2014 10:40 PM, Harley H wrote:
>>>> Hello, I was going to submit this through Redmine but I'm not
>>>> receiving the account activation email. I'm trying to write a rule
>>>> like this:
>>>>
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $WEB_PORTS (msg: "Testing
>>>> Rule"; content: "baduricontent"; http_raw_uri; pcre:
>>>> "/[a-z]{5}.html"/R"; sid: 123; rev: 1;)
>>>>
>>>> But am receiving this error message:
>>>>
>>>> 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
>>>> SC_ERR_INVALID_SIGNATURE(39)] - No preceding content or uricontent
>>>> or pcre option 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
>>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
>>>> $HOME_NET any -> $EXTERNAL_NET any (msg: "Testing URL"; content:
>>>> "baduricontent"; http_raw_uri; pcre: "/[a-z]{5}\.html/R"; sid:
>>>> 98765; rev: 1;)" from file
>>>> /root/Desktop/Local_Workspace/IDS_Rules/testing.rules at line 1
>>>>
>>>>
>>>> When I get rid of 'http_raw_uri' and replace that 'content' with
>>>> 'uricontent' the same error message is produced.
>>>>
>>>> -Harley


More information about the Oisf-devel mailing list