[Oisf-users] PCRE question
Victor Julien
victor at inliniac.net
Wed Jul 11 21:34:08 UTC 2012
On 07/11/2012 07:56 PM, Brandon Ganem wrote:
> Hi all,
> I'm trying to use signatures with PCRE in them. Looking at my
> suricata.log file I see many entries with the following:
>
>
> [18575] 11/7/2012 -- 13:22:40 - (detect-pcre.c:949) <Error>
> (DetectPcreParse) -- [ERRCODE: SC_ERR_PCRE_STUDY(6)] - pcre study failed
> : unknown or incorrect option bit(s) set
> [18575] 11/7/2012 -- 13:22:40 - (detect.c:547) <Error>
> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
> parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"ET WORM AirOS .css Worm Outbound Propagation Sweep";
> flow:established,to_server; content:"/admin.cgi/.gif"; http_uri;
> pcre:"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H";
> reference:url,seclists.org/fulldisclosure/2011/Dec/419
> <http://seclists.org/fulldisclosure/2011/Dec/419>;
> reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/
> <http://www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/>;
> classtype:trojan-activity; sid:2014041; rev:5;)" from file
> /etc/suricata/rules/worm.rules at line 152
>
> I've installed pcre with jit enabled as
> per: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PCRE-JIT
> I
> also referenced: http://blog.inliniac.net/2011/10/12/suricata-and-pcre-performance/
>
> Note, As far as I can tell this happens on every sig with PCRE in it.
> Hard to tell. Am I just doing something wrong?
> I'm on the latest GIT, along with pcre 8.31 (I was on 8.20 RC1 as per
> the guide, but I upgraded in an attempt to fix this)
Seen this error before. It turned out I used headers from 8.31, but
linked against the distro libpcre.
I'm pretty sure you have either a typo in your --with-libpcre-* or you
have multiple libpcre.so's of different versions in your ld path.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list