[Oisf-users] pcre with /R (relative) needs preceeding match in the same buffer error message

Anoop Saldanha anoopsaldanha at gmail.com
Thu Jul 3 04:05:35 UTC 2014 

On Thu, Jul 3, 2014 at 9:14 AM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:
> On Thu, Jul 3, 2014 at 6:58 AM, manhunt <manhunt234 at hotmail.com> wrote:
>> Dear Open Information Security Foundation team,
>>
>>
>> My name is Alex and I'm doing a masters project that requires me to install
>> an open source intrusion detection system (Suricata, Snort etc.) on a Linux
>> system that is running a Modbus TCP simulator (Conpot).
>>
>>
>> I have obtained the 14 Modbus TCP rules (Digital Bond) that had been written
>> for Snort. I decided to use these rules with Suricata. I know that these
>> rules are fully compatible with Suricata. However, I am unable to execute
>> the following rule:
>>
>>
>> alert tcp $MODBUS_CLIENT any <> $MODBUS_SERVER 502 (flow:established;
>> pcre:"/[\S\s]{2}(?!\x00\x00)/iAR"; msg:"SCADA_IDS: Modbus TCP - Non-Modbus
>> Communication on TCP Port 502";
>> reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
>> classtype:non-standard-protocol; sid:1111009; rev:1; priority:1;)
>>
>>
>> I get the following error message:
>>
>>
>> 1/7/2014 -- 23:32:47 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>> pcre with /R (relative) needs preceeding match in the same buffer
>>
>> 1/7/2014 -- 23:32:47 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
>> error parsing signature "alert tcp $MODBUS_CLIENT any <> $MODBUS_SERVER 502
>> (flow:established; pcre:"/[\S\s]{2}(?!\x00\x00)/iAR"; msg:"SCADA_IDS: Modbus
>> TCP - Non-Modbus Communication on TCP Port 502";
>> reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
>> classtype:non-standard-protocol; sid:1111009; rev:1; priority:1;)" from file
>> /etc/suricata/rules/modbus.rules at line 14
>>
>>
>> I tried adding “^” to the following line:
>>
>>
>> pcre:"/^[\S\s]{2}(?!\x00\x00)/iAR"
>>
>>
>> However, that didn't solve the problem. I am using Suricata 2.0.2. The
>> operating system is Linux Ubuntu 12.04.
>>
>>
>> The rule:
>>
>> http://www.digitalbond.com/tools/quickdraw/modbus-tcp-rules/rule-1111009/
>>
>>
>> I have very limited knowledge of Linux and IDSs in general, but I would
>> really like to get this rule to work.
>>
>>
>> Looking forward to your reply.
>>
>
> This must be an older version of suricata(1.4.x most likely).  Using
> 2.x should let the rule through.
>

Oh, I missed that you specified you were running 2.0.x.

Dug a bit deeper, and I see that we had changed this behaviour(to
allowing the above rule) when we entered v2, but looks like recently
with https://redmine.openinfosecfoundation.org/issues/1098, we have
re-updated this behaviour to pre v2.

-- 
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------

More information about the Oisf-users mailing list