[Oisf-users] PCRE question

Brandon Ganem brandonganem+oisf at gmail.com
Wed Jul 11 17:56:59 UTC 2012


Hi all,
I'm trying to use signatures with PCRE in them. Looking at my suricata.log
file I see many entries with the following:


[18575] 11/7/2012 -- 13:22:40 - (detect-pcre.c:949) <Error>
(DetectPcreParse) -- [ERRCODE: SC_ERR_PCRE_STUDY(6)] - pcre study failed :
unknown or incorrect option bit(s) set
[18575] 11/7/2012 -- 13:22:40 - (detect.c:547) <Error> (DetectLoadSigFile)
-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert
http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM AirOS .css
Worm Outbound Propagation Sweep"; flow:established,to_server;
content:"/admin.cgi/.gif"; http_uri; pcre:"/Host\x3a
([0-9]{1,3}\.){3}[0-9]{1,3}/H"; reference:url,
seclists.org/fulldisclosure/2011/Dec/419; reference:url,
www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/;
classtype:trojan-activity; sid:2014041; rev:5;)" from file
/etc/suricata/rules/worm.rules at line 152

I've installed pcre with jit enabled as per:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PCRE-JIT
I also referenced:
http://blog.inliniac.net/2011/10/12/suricata-and-pcre-performance/

Note, As far as I can tell this happens on every sig with PCRE in it. Hard
to tell. Am I just doing something wrong?
I'm on the latest GIT, along with pcre 8.31 (I was on 8.20 RC1 as per the
guide, but I upgraded in an attempt to fix this)

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120711/838b5965/attachment-0002.html>


More information about the Oisf-users mailing list