[Oisf-users] PCRE question

Brandon Ganem brandonganem+oisf at gmail.com
Wed Jul 11 14:49:30 EDT 2012


Kay,
I've got a bunch of signatures doing this. For example:
[18575] 11/7/2012 -- 13:22:40 - (detect-pcre.c:949) <Error>
(DetectPcreParse) -- [ERRCODE: SC_ERR_PCRE_STUDY(6)] - pcre study failed :
unknown or incorrect option bit(s) set
[18575] 11/7/2012 -- 13:22:40 - (detect.c:547) <Error> (DetectLoadSigFile)
-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert
http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft
Internet Explorer SameID Use-After-Free "; flow:established,from_server;
content:"<DIV id="; nocase; content:"<img id="; nocase; distance:0;
content:".innerHTML"; distance:0;
pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si";
reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911;
rev:10;)" from file /etc/suricata/rules/etpro/web_client.rules at line 1916
http://doc.emergingthreats.net/bin/view/Main/2014911

It doesn't seem to be related to the pcre options. I created a sig without
any options:
alert tcp any any -> any any (msg:"test .jar sig"; content:".jar"; nocase;
http_uri; pcre: "/\d{5}\.jar/"; classtype:trojan-activity;
sid:2055555555555500349; rev:1;)

regardless of the pcre options it blows up. However if I get ride of the
pcre statement it works fine.

Thanks!

On Wed, Jul 11, 2012 at 2:33 PM, kay <kay.diam at gmail.com> wrote:

> Thanks for info, now I know more about it. But it is a custom suricata
> modifier. I would suggest the author to try start suricata without
> this modifier.
>
> 2012/7/11 Chris Wakelin <c.d.wakelin at reading.ac.uk>:
> > On 11/07/2012 19:06, kay wrote:
> >> I have noticed /H modifier. I've never heard about such modifier.
> >>
> >> "/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H"
> >
> > From
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords
> > :-
> >> H       Makes pcre match on the HTTP-header.  H can be combined with
> /R. Note that R is relative to the
> >>         previous match so both matches have to be in the HTTP-header
> body.
> >
> > plus several others!
> >
> > Best Wishes,
> > Chris
> >
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120711/b09742ec/attachment.html>


More information about the Oisf-users mailing list