[Oisf-users] Suricata versions (4.1.2 and 3.1) will not run after initial install on CENTOS 6.10 with SC_ERR_PCRE_COMPILE error
Eric Urban
eurban at umn.edu
Tue Jan 1 19:27:27 UTC 2019
That pcre is present in detect-engine-event.c (
https://github.com/OISF/suricata/blob/16643befe7bebb9736d44f3a02efdf71135a7b84/src/detect-engine-event.c#L45),
so the error is likely coming from detect-parse.c at
https://github.com/OISF/suricata/blob/b51e4a395978889fabba99287261a616aa8cd37a/src/detect-parse.c#L2286
.
At a glance it looks like this could happen without signatures loaded, but
am not positive.
--
Eric Urban
University Information Security | Office of Information Technology |
it.umn.edu
University of Minnesota | umn.edu
eurban at umn.edu
On Tue, Jan 1, 2019 at 8:40 AM MATT DOUgherty <doughertysnp at gmail.com>
wrote:
> Thank you for the reply Peter.
>
> Yes, Same results.
>
> [root at newfw ~]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -S
> /dev/null -i eth1
> 1/1/2019 -- 04:33:29 - <Notice> - This is Suricata version 4.1.2 RELEASE
> 1/1/2019 -- 04:33:29 - <Error> - [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre
> compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX
> collating elements are not supported
>
> Offset 12 seems to indicate the plus character so I changed every instance
> to {1,} and still get the same basic error.
>
> [root at newfw ~]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -S
> /dev/null -i eth1
> 1/1/2019 -- 04:33:29 - <Notice> - This is Suricata version 4.1.2 RELEASE
> 1/1/2019 -- 04:33:29 - <Error> - [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre
> compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX
> collating elements are not supported
>
>
> Thanks for thought. Maybe multiple python regex libraries? I know it
> must be me because no one else seems to have this issue.
>
> Matt.
>
> On Jan 1, 2019, at 4:14 AM, Peter Manev <petermanev at gmail.com> wrote:
>
>
>
> On 30 Dec 2018, at 16:57, MATT DOUgherty <doughertysnp at gmail.com> wrote:
>
> I get a PCRE compile error that prevents any other interesting log data.
> Does anyone have an idea of that the could be?
>
> This is a clean install from source on CENTOS 6.10 with several versions
> of Suricata. I have snort installed. Is the existing snort install
> messing it up?
>
>
> [root at newfw suricata-4.1.2]# /usr/bin/suricata -c
> /etc/suricata/suricata.yaml -i eth1
> 30/12/2018 -- 04:51:07 - <Notice> - This is Suricata version 4.1.2 RELEASE
> 30/12/2018 -- 04:51:07 - <Error> - [ERRCODE: SC_ERR_PCRE_COMPILE(5)] -
> pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX
> collating elements are not supported
>
> ____
>
>
> Do you have the same error if you start/load with 0 rules ? (You can try
> adding “-S /dev/null” to the starting line, could be rule related I was
> thinking )
>
>
>
> ___________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190101/061a6b49/attachment-0001.html>
More information about the Oisf-users
mailing list