Suricata

byte_jump/byte_test + relative does not work when previous match is pcre. This should be a supported feature, as it is supported in snort.

[3499] 4/5/2010 -- 19:41:06 - (detect-bytetest.c:538) <Error> (DetectBytetestSetup) -- [ERRCODE: SC_ERR_BYTETEST_MISSING_CONTENT(103)] - relative bytetest match needs a previous content option
[3499] 4/5/2010 -- 19:41:06 - (detect.c:295) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(36)] - Error parsing signature "alert tcp any any -> any any (msg:"pcre + byte_test + relative"; pcre:"/AllWorkAndNoPlayMakesWillADullBoy/"; byte_test:1,=,1,6,relative,string,dec; classtype:bad-unknown; sid:126; rev:1;)" from file /home/coz/allworkplain.rules at line 20

[3499] 4/5/2010 -- 19:41:06 - (detect-bytejump.c:518) <Error> (DetectBytejumpSetup) -- [ERRCODE: SC_ERR_BYTEJUMP_MISSING_CONTENT(104)] - relative bytejump match needs a previous content option
[3499] 4/5/2010 -- 19:41:06 - (detect.c:295) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(36)] - Error parsing signature "alert tcp any any -> any any (msg:"pcre + byte_test + relative"; pcre:"/AllWorkAndNoPlayMakesWillADullBoy/"; byte_jump:1,6,relative,string,dec; content:"0"; within:1; classtype:bad-unknown; sid:134; rev:1;)" from file /home/coz/allworkplain.rules at line 53

01/04-12:29:26.927934 [**] [1:134:1] pcre + byte_test + relative [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.3:39867 -> 209.85.225.105:80
01/04-12:29:26.927934 [**] [1:126:1] pcre + byte_test + relative [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 192.168.2.3:39867 -> 209.85.225.105:80