[Oisf-users] PCRE question
Victor Julien
victor at inliniac.net
Thu Jul 12 23:00:13 UTC 2012
On 07/12/2012 08:37 PM, Brandon Ganem wrote:
> Victor, it looks like your right. I have multiple libpcre.so files in my
> ldconfig.
>
> I guess i'm just not sure how to fix the problem. I tried apt-get remove
> libpcre3-devel but it doesn't seem to make a difference.
The -devel package only contains the header files. You'd have to remove
the libpcre3 package, but be careful: other apps may depend on it.
For me it works fine to install pcre 8.31 into /opt/pcre-8.31 and then
point Suricata to that with
--with-libpcre-includes=/opt/pcre-8.31/include/ and
--with-libpcre-libraries=/opt/pcre-8.31/lib/
Cheers,
Victor
> Thanks!
>
> On Wed, Jul 11, 2012 at 5:34 PM, Victor Julien <victor at inliniac.net
> <mailto:victor at inliniac.net>> wrote:
>
> On 07/11/2012 07:56 PM, Brandon Ganem wrote:
> > Hi all,
> > I'm trying to use signatures with PCRE in them. Looking at my
> > suricata.log file I see many entries with the following:
> >
> >
> > [18575] 11/7/2012 -- 13:22:40 - (detect-pcre.c:949) <Error>
> > (DetectPcreParse) -- [ERRCODE: SC_ERR_PCRE_STUDY(6)] - pcre study
> failed
> > : unknown or incorrect option bit(s) set
> > [18575] 11/7/2012 -- 13:22:40 - (detect.c:547) <Error>
> > (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error
> > parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET
> $HTTP_PORTS
> > (msg:"ET WORM AirOS .css Worm Outbound Propagation Sweep";
> > flow:established,to_server; content:"/admin.cgi/.gif"; http_uri;
> > pcre:"/Host\x3a ([0-9]{1,3}\.){3}[0-9]{1,3}/H";
> > reference:url,seclists.org/fulldisclosure/2011/Dec/419
> <http://seclists.org/fulldisclosure/2011/Dec/419>
> > <http://seclists.org/fulldisclosure/2011/Dec/419>;
> >
> reference:url,www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/
> <http://www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/>
> > <http://www.root.cz/clanky/virus-v-bezdratovych-routerech-skynet/>;
> > classtype:trojan-activity; sid:2014041; rev:5;)" from file
> > /etc/suricata/rules/worm.rules at line 152
> >
> > I've installed pcre with jit enabled as
> > per:
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT_with_PCRE-JIT
> > I
> > also referenced:
> http://blog.inliniac.net/2011/10/12/suricata-and-pcre-performance/
> >
> > Note, As far as I can tell this happens on every sig with PCRE in it.
> > Hard to tell. Am I just doing something wrong?
> > I'm on the latest GIT, along with pcre 8.31 (I was on 8.20 RC1 as per
> > the guide, but I upgraded in an attempt to fix this)
>
> Seen this error before. It turned out I used headers from 8.31, but
> linked against the distro libpcre.
>
> I'm pretty sure you have either a typo in your --with-libpcre-* or you
> have multiple libpcre.so's of different versions in your ld path.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
>
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> <mailto:Oisf-users at openinfosecfoundation.org>
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
>
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list