[Oisf-users] pcre with /R (relative) needs preceeding match in the same buffer error message

manhunt manhunt234 at hotmail.com
Thu Jul 3 01:28:21 UTC 2014 

Dear Open Information Security Foundation team,


My name is Alex and I'm doing a masters project that
requires me to install an open source intrusion detection system (Suricata,
Snort etc.) on a Linux system that is running a Modbus TCP simulator (Conpot). 


I have obtained the 14 Modbus TCP rules (Digital Bond) that had
been written for Snort. I decided to use these rules with Suricata. I know that
these rules are fully compatible with Suricata. However, I am unable to execute
the following rule:


alert tcp $MODBUS_CLIENT any <> $MODBUS_SERVER 502
(flow:established; pcre:"/[\S\s]{2}(?!\x00\x00)/iAR";
msg:"SCADA_IDS: Modbus TCP - Non-Modbus Communication on TCP Port
502"; reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
classtype:non-standard-protocol; sid:1111009; rev:1; priority:1;)


I get the following error message:


1/7/2014 -- 23:32:47 - <Error> - [ERRCODE:
SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match
in the same buffer

1/7/2014 -- 23:32:47 - <Error> - [ERRCODE:
SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp
$MODBUS_CLIENT any <> $MODBUS_SERVER 502 (flow:established;
pcre:"/[\S\s]{2}(?!\x00\x00)/iAR"; msg:"SCADA_IDS: Modbus TCP -
Non-Modbus Communication on TCP Port 502";
reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
classtype:non-standard-protocol; sid:1111009; rev:1; priority:1;)" from
file /etc/suricata/rules/modbus.rules at line 14


I tried adding “^” to the following line:


pcre:"/^[\S\s]{2}(?!\x00\x00)/iAR"


However, that didn't solve the problem. I am using Suricata
2.0.2. The operating system is Linux Ubuntu 12.04.
The rule:http://www.digitalbond.com/tools/quickdraw/modbus-tcp-rules/rule-1111009/


I have very limited knowledge of Linux and IDSs in general,
but I would really like to get this rule to work.


Looking forward to your reply.


Regards,

Alex 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140703/4058894f/attachment.html>

More information about the Oisf-users mailing list