[Oisf-users] pcre with /R (relative) needs preceeding match in the same buffer error message

Anoop Saldanha anoopsaldanha at gmail.com
Thu Jul 3 03:44:59 UTC 2014 

On Thu, Jul 3, 2014 at 6:58 AM, manhunt <manhunt234 at hotmail.com> wrote:
> Dear Open Information Security Foundation team,
>
>
> My name is Alex and I'm doing a masters project that requires me to install
> an open source intrusion detection system (Suricata, Snort etc.) on a Linux
> system that is running a Modbus TCP simulator (Conpot).
>
>
> I have obtained the 14 Modbus TCP rules (Digital Bond) that had been written
> for Snort. I decided to use these rules with Suricata. I know that these
> rules are fully compatible with Suricata. However, I am unable to execute
> the following rule:
>
>
> alert tcp $MODBUS_CLIENT any <> $MODBUS_SERVER 502 (flow:established;
> pcre:"/[\S\s]{2}(?!\x00\x00)/iAR"; msg:"SCADA_IDS: Modbus TCP - Non-Modbus
> Communication on TCP Port 502";
> reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
> classtype:non-standard-protocol; sid:1111009; rev:1; priority:1;)
>
>
> I get the following error message:
>
>
> 1/7/2014 -- 23:32:47 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> pcre with /R (relative) needs preceeding match in the same buffer
>
> 1/7/2014 -- 23:32:47 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> error parsing signature "alert tcp $MODBUS_CLIENT any <> $MODBUS_SERVER 502
> (flow:established; pcre:"/[\S\s]{2}(?!\x00\x00)/iAR"; msg:"SCADA_IDS: Modbus
> TCP - Non-Modbus Communication on TCP Port 502";
> reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
> classtype:non-standard-protocol; sid:1111009; rev:1; priority:1;)" from file
> /etc/suricata/rules/modbus.rules at line 14
>
>
> I tried adding “^” to the following line:
>
>
> pcre:"/^[\S\s]{2}(?!\x00\x00)/iAR"
>
>
> However, that didn't solve the problem. I am using Suricata 2.0.2. The
> operating system is Linux Ubuntu 12.04.
>
>
> The rule:
>
> http://www.digitalbond.com/tools/quickdraw/modbus-tcp-rules/rule-1111009/
>
>
> I have very limited knowledge of Linux and IDSs in general, but I would
> really like to get this rule to work.
>
>
> Looking forward to your reply.
>

This must be an older version of suricata(1.4.x most likely).  Using
2.x should let the rule through.

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------

More information about the Oisf-users mailing list