[Oisf-users] PCRE question

Victor Julien victor at inliniac.net
Thu Jul 12 19:00:13 EDT 2012


On 07/12/2012 08:37 PM, Brandon Ganem wrote:
> Victor, it looks like your right. I have multiple libpcre.so files in my
> ldconfig.
> 
> I guess i'm just not sure how to fix the problem. I tried apt-get remove
> libpcre3-devel but it doesn't seem to make a difference.

The -devel package only contains the header files. You'd have to remove
the libpcre3 package, but be careful: other apps may depend on it.

For me it works fine to install pcre 8.31 into /opt/pcre-8.31 and then
point Suricata to that with
--with-libpcre-includes=/opt/pcre-8.31/include/ and
--with-libpcre-libraries=/opt/pcre-8.31/lib/

Cheers,
Victor

> Thanks!
> 
> On Wed, Jul 11, 2012 at 5:34 PM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
> 
>     On 07/11/2012 07:56 PM, Brandon Ganem wrote:
>     > Hi all,
>     > I'm trying to use signatures with PCRE in them. Looking at my
>     > suricata.log file I see many entries with the following:
>     >
>     >
>     > [18575] 11/7/2012 -- 13:22:40 - (detect-pcre.c:949) <Error>
>     > (DetectPcreParse) -- [ERRCODE: SC_ERR_PCRE_STUDY(6)] - pcre study
>     failed
>     > : unknown or incorrect option bit(s) set
>     > [18575] 11/7/2012 -- 13:22:40 - (detect.c:547) <Error>
>     > (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
>     > parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET
>     $HTTP_PORTS
>     > (msg:"ET WORM AirOS .css Worm Outbound Propagation Sweep";
>     > flow:established,to_server; content:"/admin.cgi/.gif"; http_uri;
>     > pcre:"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H";
>     > reference:url,seclists.org/fulldisclosure/2011/Dec/419
>     <http://seclists.org/fulldisclosure/2011/Dec/419>
>     > <http://seclists.org/fulldisclosure/2011/Dec/419>;
>     >
>     reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/
>     <http://www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/>
>     > <http://www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/>;
>     > classtype:trojan-activity; sid:2014041; rev:5;)" from file
>     > /etc/suricata/rules/worm.rules at line 152
>     >
>     > I've installed pcre with jit enabled as
>     > per:
>     https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PCRE-JIT
>     > I
>     > also referenced:
>     http://blog.inliniac.net/2011/10/12/suricata-and-pcre-performance/
>     >
>     > Note, As far as I can tell this happens on every sig with PCRE in it.
>     > Hard to tell. Am I just doing something wrong?
>     > I'm on the latest GIT, along with pcre 8.31 (I was on 8.20 RC1 as per
>     > the guide, but I upgraded in an attempt to fix this)
> 
>     Seen this error before. It turned out I used headers from 8.31, but
>     linked against the distro libpcre.
> 
>     I'm pretty sure you have either a typo in your --with-libpcre-* or you
>     have multiple libpcre.so's of different versions in your ld path.
> 
>     --
>     ---------------------------------------------
>     Victor Julien
>     http://www.inliniac.net/
>     PGP: http://www.inliniac.net/victorjulien.asc
>     ---------------------------------------------
> 
> 
> 
>     _______________________________________________
>     Oisf-users mailing list
>     Oisf-users at openinfosecfoundation.org
>     <mailto:Oisf-users at openinfosecfoundation.org>
>     http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------





More information about the Oisf-users mailing list