Project

General

Profile

Actions

Bug #1240

closed

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer

Added by Ricco Braino over 9 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

I think I have found a new bug which was meant to have been fixed (maybe)? the original bug was 1098 (http_raw_uri with relative pcre parsing issue).

So I have a rule like: alert tcp any any <> any any (msg: "blah"; content:"blah"; http_header; nocase; pcre:"/^blah/Ri"; sid:1000000; rev:1;)

when you start suricata 2.0.2 I get the errors:
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any <> any any (msg: "blah"; content:"blah"; http_header; nocase; pcre:"/^blah/IRi"; sid:1000000; rev:1;) " from file /etc/suricata/rules/ricco.rules at line 1

Error stops if you remove http_header and nocase (but that would make the rule inaccurate). I have also tried pcre:"/^blah/R" and pcre:"/^blah/IR" which i saw in some other threads on here and the internet.

Been as I have many rules of these format this is hurting right now.

Ricco Braino

Actions #1

Updated by Victor Julien over 9 years ago

You will need to use the H pcre modifier, see Pcre_(Perl_Compatible_Regular_Expressions)

Actions #2

Updated by Andreas Herz about 8 years ago

  • Status changed from New to Closed

Solution provided by Victor.

Actions

Also available in: Atom PDF