[Oisf-devel] PCRE '/R' bug?

Will Metcalf william.metcalf at gmail.com
Tue Feb 4 15:49:07 EST 2014


You need to specify relative pcre matches like this, then it works... Note
the "I".

alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";
http_raw_uri; pcre:"/^[a-z]{5}\.html/IR"; sid:2; rev:2;)



On Tue, Feb 4, 2014 at 9:50 AM, rmkml <rmkml at yahoo.fr> wrote:

> Thx Anoop,
>
> opened Suricata redmine ticket #1098.
>
> Thx for your time.
> @Rmkml
>
>
>
> On Mon, 3 Feb 2014, Anoop Saldanha wrote:
>
>  rmkml,
>>
>> If that specific case isn't firing, that's a bug indeed.  Can you
>> please open a ticket for it?
>>
>> On Sat, Feb 1, 2014 at 3:58 AM, rmkml <rmkml at yahoo.fr> wrote:
>>
>>> Hi Harley,
>>>
>>> Yes it's not work on Suricata v1.4.7 but fire on v2.0 beta 2.
>>>
>>>
>>> oisf-devel: But maybe you have another bug on Suricata v2.0 beta 2, I'm
>>> explain:
>>>  If you add ^ on pcre begin, suricata not fire with this uri:
>>> baduricontentabcde.html
>>> (It's fire on snort)
>>>
>>> fire on suri v2:
>>> alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";
>>> http_raw_uri; pcre:"/[a-z]{5}\.html/R"; sid:1; rev:2;)
>>>
>>> not fire on suri v2:
>>> alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";
>>> http_raw_uri; pcre:"/^[a-z]{5}\.html/R"; sid:2; rev:2;)
>>>
>>> Tested with: wget http://google.com/baduricontentabcde.html
>>> (joigned pcap file)
>>>
>>> Anyone confirm please ?
>>>
>>> Regards
>>> @Rmkml
>>>
>>>
>>>
>>>
>>>
>>> On Fri, 31 Jan 2014, Harley H wrote:
>>>
>>>  Good catch but that's a typo. I typed the rule in vice copying/pasting
>>>> like I should have.
>>>>
>>>>
>>>> On Fri, Jan 31, 2014 at 5:02 PM, Edward Fjellsk?l
>>>>
>>>> <edwardfjellskaal at gmail.com> wrote:
>>>>       -----BEGIN PGP SIGNED MESSAGE-----
>>>>       Hash: SHA1
>>>>
>>>>       "/[a-z]{5}.html"/R"
>>>>
>>>>
>>>> is there a " to much?
>>>>
>>>> E
>>>>
>>>> On 01/31/2014 10:40 PM, Harley H wrote:
>>>>
>>>>> Hello, I was going to submit this through Redmine but I'm not
>>>>> receiving the account activation email. I'm trying to write a rule
>>>>> like this:
>>>>>
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $WEB_PORTS (msg: "Testing
>>>>> Rule"; content: "baduricontent"; http_raw_uri; pcre:
>>>>> "/[a-z]{5}.html"/R"; sid: 123; rev: 1;)
>>>>>
>>>>> But am receiving this error message:
>>>>>
>>>>> 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
>>>>> SC_ERR_INVALID_SIGNATURE(39)] - No preceding content or uricontent
>>>>> or pcre option 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
>>>>> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
>>>>> $HOME_NET any -> $EXTERNAL_NET any (msg: "Testing URL"; content:
>>>>> "baduricontent"; http_raw_uri; pcre: "/[a-z]{5}\.html/R"; sid:
>>>>> 98765; rev: 1;)" from file
>>>>> /root/Desktop/Local_Workspace/IDS_Rules/testing.rules at line 1
>>>>>
>>>>>
>>>>> When I get rid of 'http_raw_uri' and replace that 'content' with
>>>>> 'uricontent' the same error message is produced.
>>>>>
>>>>> -Harley
>>>>>
>>>> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/
> participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20140204/640e187c/attachment.html>


More information about the Oisf-devel mailing list