[Oisf-users] PCRE question

Will Metcalf william.metcalf at gmail.com
Wed Jul 11 17:22:44 EDT 2012


Ancient pcre version?
/pcretest -C
PCRE version 8.30 2012-02-04
Compiled with
  8-bit support only
  UTF-8 support
  Unicode properties support
  Just-in-time compiler support: x86 64bit (little endian + unaligned)
  Newline sequence is LF
  \R matches all Unicode newlines
  Internal link size = 2
  POSIX malloc threshold = 10
  Default match limit = 10000000
  Default recursion depth limit = 10000000
  Match recursion uses stack


On Wed, Jul 11, 2012 at 1:49 PM, Brandon Ganem
<brandonganem+oisf at gmail.com>wrote:

> Kay,
> I've got a bunch of signatures doing this. For example:
> [18575] 11/7/2012 -- 13:22:40 - (detect-pcre.c:949) <Error>
> (DetectPcreParse) -- [ERRCODE: SC_ERR_PCRE_STUDY(6)] - pcre study failed :
> unknown or incorrect option bit(s) set
> [18575] 11/7/2012 -- 13:22:40 - (detect.c:547) <Error> (DetectLoadSigFile)
> -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert
> http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft
> Internet Explorer SameID Use-After-Free "; flow:established,from_server;
> content:"<DIV id="; nocase; content:"<img id="; nocase; distance:0;
> content:".innerHTML"; distance:0;
> pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si";
> reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911;
> rev:10;)" from file /etc/suricata/rules/etpro/web_client.rules at line 1916
> http://doc.emergingthreats.net/bin/view/Main/2014911
>
> It doesn't seem to be related to the pcre options. I created a sig without
> any options:
> alert tcp any any -> any any (msg:"test .jar sig"; content:".jar"; nocase;
> http_uri; pcre: "/\d{5}\.jar/"; classtype:trojan-activity;
> sid:2055555555555500349; rev:1;)
>
> regardless of the pcre options it blows up. However if I get ride of the
> pcre statement it works fine.
>
> Thanks!
>
> On Wed, Jul 11, 2012 at 2:33 PM, kay <kay.diam at gmail.com> wrote:
>
>> Thanks for info, now I know more about it. But it is a custom suricata
>> modifier. I would suggest the author to try start suricata without
>> this modifier.
>>
>> 2012/7/11 Chris Wakelin <c.d.wakelin at reading.ac.uk>:
>> > On 11/07/2012 19:06, kay wrote:
>> >> I have noticed /H modifier. I've never heard about such modifier.
>> >>
>> >> "/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H"
>> >
>> > From
>> >
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords
>> > :-
>> >> H       Makes pcre match on the HTTP-header.  H can be combined with
>> /R. Note that R is relative to the
>> >>         previous match so both matches have to be in the HTTP-header
>> body.
>> >
>> > plus several others!
>> >
>> > Best Wishes,
>> > Chris
>> >
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120711/6589311d/attachment-0001.html>


More information about the Oisf-users mailing list