[Oisf-users] PCRE question
Brandon Ganem
brandonganem+oisf at gmail.com
Thu Jul 12 15:08:28 EDT 2012
Some context:
root at xxx:/opt/pcre-8.31# ldd /usr/local/bin/suricata
linux-vdso.so.1 => (0x00007fffb01d6000)
libhtp-0.2.so.1 => /usr/local/lib/libhtp-0.2.so.1
(0x00007fc935eb9000)
libmagic.so.1 => /usr/lib/libmagic.so.1 (0x00007fc935c9c000)
libcap-ng.so.0 => /usr/lib/libcap-ng.so.0 (0x00007fc935a96000)
libpcap.so.0.8 => /usr/lib/libpcap.so.0.8 (0x00007fc93585f000)
libpfring.so => /usr/local/lib/libpfring.so (0x00007fc935641000)
libnet.so.1 => /usr/lib/libnet.so.1 (0x00007fc935427000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007fc935209000)
libyaml-0.so.2 => /usr/lib/libyaml-0.so.2 (0x00007fc934fe9000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3
(0x00007fc934dac000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc934a17000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fc9347ff000)
/lib64/ld-linux-x86-64.so.2 (0x00007fc9360d9000)
On Thu, Jul 12, 2012 at 2:37 PM, Brandon Ganem
<brandonganem+oisf at gmail.com>wrote:
> Victor, it looks like your right. I have multiple libpcre.so files in my
> ldconfig.
>
> I guess i'm just not sure how to fix the problem. I tried apt-get remove
> libpcre3-devel but it doesn't seem to make a difference.
>
> Thanks!
>
> On Wed, Jul 11, 2012 at 5:34 PM, Victor Julien <victor at inliniac.net>wrote:
>
>> On 07/11/2012 07:56 PM, Brandon Ganem wrote:
>> > Hi all,
>> > I'm trying to use signatures with PCRE in them. Looking at my
>> > suricata.log file I see many entries with the following:
>> >
>> >
>> > [18575] 11/7/2012 -- 13:22:40 - (detect-pcre.c:949) <Error>
>> > (DetectPcreParse) -- [ERRCODE: SC_ERR_PCRE_STUDY(6)] - pcre study failed
>> > : unknown or incorrect option bit(s) set
>> > [18575] 11/7/2012 -- 13:22:40 - (detect.c:547) <Error>
>> > (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
>> > parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> > (msg:"ET WORM AirOS .css Worm Outbound Propagation Sweep";
>> > flow:established,to_server; content:"/admin.cgi/.gif"; http_uri;
>> > pcre:"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H";
>> > reference:url,seclists.org/fulldisclosure/2011/Dec/419
>> > <http://seclists.org/fulldisclosure/2011/Dec/419>;
>> > reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/
>> > <http://www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/>;
>> > classtype:trojan-activity; sid:2014041; rev:5;)" from file
>> > /etc/suricata/rules/worm.rules at line 152
>> >
>> > I've installed pcre with jit enabled as
>> > per:
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PCRE-JIT
>> > I
>> > also referenced:
>> http://blog.inliniac.net/2011/10/12/suricata-and-pcre-performance/
>> >
>> > Note, As far as I can tell this happens on every sig with PCRE in it.
>> > Hard to tell. Am I just doing something wrong?
>> > I'm on the latest GIT, along with pcre 8.31 (I was on 8.20 RC1 as per
>> > the guide, but I upgraded in an attempt to fix this)
>>
>> Seen this error before. It turned out I used headers from 8.31, but
>> linked against the distro libpcre.
>>
>> I'm pretty sure you have either a typo in your --with-libpcre-* or you
>> have multiple libpcre.so's of different versions in your ld path.
>>
>> --
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
>>
>>
>> _______________________________________________
>> Oisf-users mailing list
>> Oisf-users at openinfosecfoundation.org
>> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120712/3f08ea9f/attachment.html>
More information about the Oisf-users
mailing list