Bug #1240
closed[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
Description
I think I have found a new bug which was meant to have been fixed (maybe)? the original bug was 1098 (http_raw_uri with relative pcre parsing issue).
So I have a rule like: alert tcp any any <> any any (msg: "blah"; content:"blah"; http_header; nocase; pcre:"/^blah/Ri"; sid:1000000; rev:1;)
when you start suricata 2.0.2 I get the errors:
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre with /R (relative) needs preceeding match in the same buffer
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any <> any any (msg: "blah"; content:"blah"; http_header; nocase; pcre:"/^blah/IRi"; sid:1000000; rev:1;) " from file /etc/suricata/rules/ricco.rules at line 1
Error stops if you remove http_header and nocase (but that would make the rule inaccurate). I have also tried pcre:"/^blah/R" and pcre:"/^blah/IR" which i saw in some other threads on here and the internet.
Been as I have many rules of these format this is hurting right now.
Ricco Braino
Updated by Victor Julien over 9 years ago
You will need to use the H pcre modifier, see Pcre_(Perl_Compatible_Regular_Expressions)
Updated by Andreas Herz about 8 years ago
- Status changed from New to Closed
Solution provided by Victor.