[Oisf-users] pcre with /R (relative) needs preceeding match in the same buffer error message

Rob MacGregor rob.macgregor at gmail.com
Thu Jul 3 10:15:46 UTC 2014 

On Thu, Jul 3, 2014 at 2:28 AM, manhunt <manhunt234 at hotmail.com> wrote:
> Dear Open Information Security Foundation team,
>
>
> My name is Alex and I'm doing a masters project that requires me to install
> an open source intrusion detection system (Suricata, Snort etc.) on a Linux
> system that is running a Modbus TCP simulator (Conpot).
>
>
> I have obtained the 14 Modbus TCP rules (Digital Bond) that had been written
> for Snort. I decided to use these rules with Suricata. I know that these
> rules are fully compatible with Suricata. However, I am unable to execute
> the following rule:
>
>
> alert tcp $MODBUS_CLIENT any <> $MODBUS_SERVER 502 (flow:established;
> pcre:"/[\S\s]{2}(?!\x00\x00)/iAR"; msg:"SCADA_IDS: Modbus TCP - Non-Modbus
> Communication on TCP Port 502";
> reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
> classtype:non-standard-protocol; sid:1111009; rev:1; priority:1;)
>
>
> I get the following error message:
>
>
> 1/7/2014 -- 23:32:47 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> pcre with /R (relative) needs preceeding match in the same buffer
>
> 1/7/2014 -- 23:32:47 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> error parsing signature "alert tcp $MODBUS_CLIENT any <> $MODBUS_SERVER 502
> (flow:established; pcre:"/[\S\s]{2}(?!\x00\x00)/iAR"; msg:"SCADA_IDS: Modbus
> TCP - Non-Modbus Communication on TCP Port 502";
> reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
> classtype:non-standard-protocol; sid:1111009; rev:1; priority:1;)" from file
> /etc/suricata/rules/modbus.rules at line 14

That rule is broken. The /R says that it is relative to the previous
match - but there is no previous match. Try running it without the R:

alert tcp $MODBUS_CLIENT any <> $MODBUS_SERVER 502 (flow:established;
pcre:"/[\S\s]{2}(?!\x00\x00)/iA"; msg:"SCADA_IDS: Modbus TCP -
Non-Modbus Communication on TCP Port 502";
reference:url,digitalbond.com/tools/quickdraw/modbus-tcp-rules;
classtype:non-standard-protocol; sid:1111009; rev:1; priority:1;)

-- 
                 Please keep list traffic on the list.

Rob MacGregor
      Whoever fights monsters should see to it that in the process he
        doesn't become a monster.                  Friedrich Nietzsche

More information about the Oisf-users mailing list