[Oisf-users] Suricata versions (4.1.2 and 3.1) will not run after initial install on CENTOS 6.10 with SC_ERR_PCRE_COMPILE error

MATT DOUgherty doughertysnp at gmail.com
Tue Jan 1 21:37:21 UTC 2019 

Attaching a debug file with some repetitive lines removed << >>.

Not sure if the attachment will go through.    I specify a signature file that I know exists and I get the same thing.   strace shows it never even tries to open the sig file.

Matt.

> On Jan 1, 2019, at 2:27 PM, Eric Urban <eurban at umn.edu> wrote:
> 
> That pcre is present in detect-engine-event.c (https://github.com/OISF/suricata/blob/16643befe7bebb9736d44f3a02efdf71135a7b84/src/detect-engine-event.c#L45 <https://github.com/OISF/suricata/blob/16643befe7bebb9736d44f3a02efdf71135a7b84/src/detect-engine-event.c#L45>), so the error is likely coming from detect-parse.c at https://github.com/OISF/suricata/blob/b51e4a395978889fabba99287261a616aa8cd37a/src/detect-parse.c#L2286 <https://github.com/OISF/suricata/blob/b51e4a395978889fabba99287261a616aa8cd37a/src/detect-parse.c#L2286>.
> 
> At a glance it looks like this could happen without signatures loaded, but am not positive.
> 
> -- 
> Eric Urban
> University Information Security | Office of Information Technology | it.umn.edu <http://it.umn.edu/>
> University of Minnesota | umn.edu <http://umn.edu/>
> eurban at umn.edu <mailto:eurban at umn.edu>
> 
> 
> On Tue, Jan 1, 2019 at 8:40 AM MATT DOUgherty <doughertysnp at gmail.com <mailto:doughertysnp at gmail.com>> wrote:
> Thank you for the reply Peter.
> 
> Yes,   Same results.
> 
> [root at newfw ~]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -S /dev/null -i eth1
> 1/1/2019 -- 04:33:29 - <Notice> - This is Suricata version 4.1.2 RELEASE
> 1/1/2019 -- 04:33:29 - <Error> - [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported
> 
> Offset 12 seems to indicate the plus character so I changed every instance to {1,} and still get the same basic error.
> 
> [root at newfw ~]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -S /dev/null -i eth1
> 1/1/2019 -- 04:33:29 - <Notice> - This is Suricata version 4.1.2 RELEASE
> 1/1/2019 -- 04:33:29 - <Error> - [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported
> 
> 
> Thanks for thought.   Maybe multiple python regex libraries?    I know it must be me because no one else seems to have this issue.
> 
> Matt.
> 
>> On Jan 1, 2019, at 4:14 AM, Peter Manev <petermanev at gmail.com <mailto:petermanev at gmail.com>> wrote:
>> 
>> 
>> 
>> On 30 Dec 2018, at 16:57, MATT DOUgherty <doughertysnp at gmail.com <mailto:doughertysnp at gmail.com>> wrote:
>> 
>>> I get a PCRE compile error that prevents any other interesting log data.   Does anyone have an idea of that the could be?
>>> 
>>> This is a clean install from source on CENTOS 6.10 with several versions of Suricata.  I have snort installed.  Is the existing snort install messing it up?
>>> 
>>> 
>>> [root at newfw suricata-4.1.2]# /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth1
>>> 30/12/2018 -- 04:51:07 - <Notice> - This is Suricata version 4.1.2 RELEASE
>>> 30/12/2018 -- 04:51:07 - <Error> - [ERRCODE: SC_ERR_PCRE_COMPILE(5)] - pcre compile of "\S[0-9A-z_]+[.][A-z0-9_+.]+$" failed at offset 12: POSIX collating elements are not supported
>>> ____
>> 
>> Do you have the same error if you start/load with 0 rules ? (You can try adding “-S /dev/null” to the starting line, could be rule related I was thinking )
>> 
>> 
>> 
>>> ___________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org <mailto:oisf-users at openinfosecfoundation.org>
>>> Site: http://suricata-ids.org <http://suricata-ids.org/> | Support: http://suricata-ids.org/support/ <http://suricata-ids.org/support/>
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>
>>> 
>>> Conference: https://suricon.net <https://suricon.net/>
>>> Trainings: https://suricata-ids.org/training/ <https://suricata-ids.org/training/>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org <mailto:oisf-users at openinfosecfoundation.org>
> Site: http://suricata-ids.org <http://suricata-ids.org/> | Support: http://suricata-ids.org/support/ <http://suricata-ids.org/support/>
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users <https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>
> 
> Conference: https://suricon.net <https://suricon.net/>
> Trainings: https://suricata-ids.org/training/ <https://suricata-ids.org/training/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190101/0f032882/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug.out.short
Type: application/octet-stream
Size: 50643 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190101/0f032882/attachment-0001.obj>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190101/0f032882/attachment-0003.html>

More information about the Oisf-users mailing list