[Oisf-devel] PCRE '/R' bug?
rmkml
rmkml at yahoo.fr
Tue Feb 4 16:08:54 EST 2014
Thx Will for feedback,
Yes you are right, pcre IR or UR work (sid 3 and 6),
but before suri v2.0beta2, suri errors if pcre R+^ relative http_raw_uri/http_uri (sid 2 and 5).
Maybe back error on suri v2 ? (because suri not fire)
FYI, snort v2960 fire if pcre R+^ relative http_raw_uri/http_uri (sid 2 and 5).
but errors if pcre IR or UR... (sid 3 and 6)
(break suri / snort compatibility?)
Tested with:
alert tcp any any -> any 80 (msg:"Testing Rule1"; content:"baduricontent"; http_raw_uri; pcre:"/[a-z]{5}\.html/R"; sid:1; rev:2;)
alert tcp any any -> any 80 (msg:"Testing Rule2"; content:"baduricontent"; http_raw_uri; pcre:"/^[a-z]{5}\.html/R"; sid:2; rev:2;)
alert tcp any any -> any 80 (msg:"Testing Rule3"; content:"baduricontent"; http_raw_uri; pcre:"/^[a-z]{5}\.html/IR"; sid:3; rev:2;)
alert tcp any any -> any 80 (msg:"Testing Rule4"; content:"baduricontent"; http_uri; pcre:"/[a-z]{5}\.html/R"; sid:4; rev:2;)
alert tcp any any -> any 80 (msg:"Testing Rule5"; content:"baduricontent"; http_uri; pcre:"/^[a-z]{5}\.html/R"; sid:5; rev:2;)
alert tcp any any -> any 80 (msg:"Testing Rule6"; content:"baduricontent"; http_uri; pcre:"/^[a-z]{5}\.html/UR"; sid:6; rev:2;)
(pcap previously sended)
Regards
@Rmkml
On Tue, 4 Feb 2014, Will Metcalf wrote:
> You need to specify relative pcre matches like this, then it works... Note the "I".
> alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent"; http_raw_uri; pcre:"/^[a-z]{5}\.html/IR"; sid:2; rev:2;)
>
>
>
> On Tue, Feb 4, 2014 at 9:50 AM, rmkml <rmkml at yahoo.fr> wrote:
> Thx Anoop,
>
> opened Suricata redmine ticket #1098.
>
> Thx for your time.
> @Rmkml
>
>
> On Mon, 3 Feb 2014, Anoop Saldanha wrote:
>
> rmkml,
>
> If that specific case isn't firing, that's a bug indeed. Can you
> please open a ticket for it?
>
> On Sat, Feb 1, 2014 at 3:58 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi Harley,
>
> Yes it's not work on Suricata v1.4.7 but fire on v2.0 beta 2.
>
>
> oisf-devel: But maybe you have another bug on Suricata v2.0 beta 2, I'm
> explain:
> If you add ^ on pcre begin, suricata not fire with this uri:
> baduricontentabcde.html
> (It's fire on snort)
>
> fire on suri v2:
> alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";
> http_raw_uri; pcre:"/[a-z]{5}\.html/R"; sid:1; rev:2;)
>
> not fire on suri v2:
> alert tcp any any -> any 80 (msg:"Testing Rule"; content:"baduricontent";
> http_raw_uri; pcre:"/^[a-z]{5}\.html/R"; sid:2; rev:2;)
>
> Tested with: wget http://google.com/baduricontentabcde.html
> (joigned pcap file)
>
> Anyone confirm please ?
>
> Regards
> @Rmkml
>
>
>
>
>
> On Fri, 31 Jan 2014, Harley H wrote:
>
> Good catch but that's a typo. I typed the rule in vice copying/pasting
> like I should have.
>
>
> On Fri, Jan 31, 2014 at 5:02 PM, Edward Fjellsk?l
> <edwardfjellskaal at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> "/[a-z]{5}.html"/R"
>
>
> is there a " to much?
>
> E
>
> On 01/31/2014 10:40 PM, Harley H wrote:
> Hello, I was going to submit this through Redmine but I'm not
> receiving the account activation email. I'm trying to write a rule
> like this:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $WEB_PORTS (msg: "Testing
> Rule"; content: "baduricontent"; http_raw_uri; pcre:
> "/[a-z]{5}.html"/R"; sid: 123; rev: 1;)
>
> But am receiving this error message:
>
> 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - No preceding content or uricontent
> or pcre option 31/1/2014 -- 16:19:25 - <Error> - [ERRCODE:
> SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
> $HOME_NET any -> $EXTERNAL_NET any (msg: "Testing URL"; content:
> "baduricontent"; http_raw_uri; pcre: "/[a-z]{5}\.html/R"; sid:
> 98765; rev: 1;)" from file
> /root/Desktop/Local_Workspace/IDS_Rules/testing.rules at line 1
>
>
> When I get rid of 'http_raw_uri' and replace that 'content' with
> 'uricontent' the same error message is produced.
>
> -Harley
>
More information about the Oisf-devel
mailing list