[Oisf-users] PCRE question
Brandon Ganem
brandonganem+oisf at gmail.com
Thu Jul 12 18:37:19 UTC 2012
Victor, it looks like your right. I have multiple libpcre.so files in my
ldconfig.
I guess i'm just not sure how to fix the problem. I tried apt-get remove
libpcre3-devel but it doesn't seem to make a difference.
Thanks!
On Wed, Jul 11, 2012 at 5:34 PM, Victor Julien <victor at inliniac.net> wrote:
> On 07/11/2012 07:56 PM, Brandon Ganem wrote:
> > Hi all,
> > I'm trying to use signatures with PCRE in them. Looking at my
> > suricata.log file I see many entries with the following:
> >
> >
> > [18575] 11/7/2012 -- 13:22:40 - (detect-pcre.c:949) <Error>
> > (DetectPcreParse) -- [ERRCODE: SC_ERR_PCRE_STUDY(6)] - pcre study failed
> > : unknown or incorrect option bit(s) set
> > [18575] 11/7/2012 -- 13:22:40 - (detect.c:547) <Error>
> > (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
> > parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"ET WORM AirOS .css Worm Outbound Propagation Sweep";
> > flow:established,to_server; content:"/admin.cgi/.gif"; http_uri;
> > pcre:"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H";
> > reference:url,seclists.org/fulldisclosure/2011/Dec/419
> > <http://seclists.org/fulldisclosure/2011/Dec/419>;
> > reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/
> > <http://www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/>;
> > classtype:trojan-activity; sid:2014041; rev:5;)" from file
> > /etc/suricata/rules/worm.rules at line 152
> >
> > I've installed pcre with jit enabled as
> > per:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PCRE-JIT
> > I
> > also referenced:
> http://blog.inliniac.net/2011/10/12/suricata-and-pcre-performance/
> >
> > Note, As far as I can tell this happens on every sig with PCRE in it.
> > Hard to tell. Am I just doing something wrong?
> > I'm on the latest GIT, along with pcre 8.31 (I was on 8.20 RC1 as per
> > the guide, but I upgraded in an attempt to fix this)
>
> Seen this error before. It turned out I used headers from 8.31, but
> linked against the distro libpcre.
>
> I'm pretty sure you have either a typo in your --with-libpcre-* or you
> have multiple libpcre.so's of different versions in your ld path.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20120712/48fbecf3/attachment-0002.html>
More information about the Oisf-users
mailing list