[Oisf-users] PCRE question

Will Metcalf william.metcalf at gmail.com
Wed Jul 11 17:37:53 EDT 2012 

You annoy me... :)

Regards,

Will

On Wed, Jul 11, 2012 at 4:34 PM, Victor Julien <victor at inliniac.net> wrote:

> 8.31 is also out already :)
>
> On 07/11/2012 11:22 PM, Will Metcalf wrote:
> > Ancient pcre version?
> > /pcretest -C
> > PCRE version 8.30 2012-02-04
> > Compiled with
> >   8-bit support only
> >   UTF-8 support
> >   Unicode properties support
> >   Just-in-time compiler support: x86 64bit (little endian + unaligned)
> >   Newline sequence is LF
> >   \R matches all Unicode newlines
> >   Internal link size = 2
> >   POSIX malloc threshold = 10
> >   Default match limit = 10000000
> >   Default recursion depth limit = 10000000
> >   Match recursion uses stack
> >
> >
> > On Wed, Jul 11, 2012 at 1:49 PM, Brandon Ganem
> > <brandonganem+oisf at gmail.com <mailto:brandonganem+oisf at gmail.com>>
> wrote:
> >
> >     Kay,
> >     I've got a bunch of signatures doing this. For example:
> >     [18575] 11/7/2012 -- 13:22:40 - (detect-pcre.c:949) <Error>
> >     (DetectPcreParse) -- [ERRCODE: SC_ERR_PCRE_STUDY(6)] - pcre study
> >     failed : unknown or incorrect option bit(s) set
> >     [18575] 11/7/2012 -- 13:22:40 - (detect.c:547) <Error>
> >     (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> >     error parsing signature "alert http $EXTERNAL_NET any -> $HOME_NET
> >     any (msg:"ET WEB_CLIENT Microsoft Internet Explorer SameID
> >     Use-After-Free "; flow:established,from_server; content:"<DIV id=";
> >     nocase; content:"<img id="; nocase; distance:0;
> >     content:".innerHTML"; distance:0;
> >
> pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si";
> >     reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911;
> >     rev:10;)" from file /etc/suricata/rules/etpro/web_client.rules at
> >     line 1916
> >     http://doc.emergingthreats.net/bin/view/Main/2014911
> >
> >     It doesn't seem to be related to the pcre options. I created a sig
> >     without any options:
> >     alert tcp any any -> any any (msg:"test .jar sig"; content:".jar";
> >     nocase; http_uri; pcre: "/\d{5}\.jar/"; classtype:trojan-activity;
> >     sid:2055555555555500349; rev:1;)
> >
> >     regardless of the pcre options it blows up. However if I get ride of
> >     the pcre statement it works fine.
> >
> >     Thanks!
> >
> >     On Wed, Jul 11, 2012 at 2:33 PM, kay <kay.diam at gmail.com
> >     <mailto:kay.diam at gmail.com>> wrote:
> >
> >         Thanks for info, now I know more about it. But it is a custom
> >         suricata
> >         modifier. I would suggest the author to try start suricata
> without
> >         this modifier.
> >
> >         2012/7/11 Chris Wakelin <c.d.wakelin at reading.ac.uk
> >         <mailto:c.d.wakelin at reading.ac.uk>>:
> >         > On 11/07/2012 19:06, kay wrote:
> >         >> I have noticed /H modifier. I've never heard about such
> modifier.
> >         >>
> >         >> "/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H"
> >         >
> >         > From
> >         >
> >
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/HTTP-keywords
> >         > :-
> >         >> H       Makes pcre match on the HTTP-header.  H can be
> >         combined with /R. Note that R is relative to the
> >         >>         previous match so both matches have to be in the
> >         HTTP-header body.
> >         >
> >         > plus several others!
> >         >
> >         > Best Wishes,
> >         > Chris
> >         >
> >         _______________________________________________
> >         Oisf-users mailing list
> >         Oisf-users at openinfosecfoundation.org
> >         <mailto:Oisf-users at openinfosecfoundation.org>
> >
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> >
> >     _______________________________________________
> >     Oisf-users mailing list
> >     Oisf-users at openinfosecfoundation.org
> >     <mailto:Oisf-users at openinfosecfoundation.org>
> >     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> >
> >
> >
> > _______________________________________________
> > Oisf-users mailing list
> > Oisf-users at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
>
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120711/505fd57b/attachment.html>

More information about the Oisf-users mailing list