Actions
Bug #1549
closedflow keywords rule parsing
Affected Versions:
Effort:
low
Difficulty:
low
Label:
Description
Using Suricata dev 2.1dev (rev a4bce14).
If there is the following - purposefully wrong signature -
alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Wrong Msg"; flow: to_server,establishedWrongHere; sid:11111111; rev:1;)
We get the following err:
[10603] 14/9/2015 -- 21:26:54 - (detect.c:412) <Info> (ProcessSigFiles) -- Loading rule file: /etc/suricata/rules/remove_me.rules [10603] 14/9/2015 -- 21:26:54 - (detect-flow.c:189) <Error> (DetectFlowParse) -- [ERRCODE: SC_ERR_PCRE_GET_SUBSTRING(4)] - pcre_copy_substring failed [10603] 14/9/2015 -- 21:26:54 - (detect.c:366) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Wrong Msg"; flow: to_server,establishedWrongHere; sid:11111111; rev:1;)" from file /etc/suricata/rules/remove_me.rules at line 21 [10603] 14/9/2015 -- 21:26:54 - (detect.c:422) <Warning> (ProcessSigFiles) -- [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from /etc/suricata/rules/remove_me.rules [10603] 14/9/2015 -- 21:26:54 - (detect.c:513) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all! [10603] 14/9/2015 -- 21:26:54 - (detect.c:2976) <Info> (SigAddressPrepareStage1) -- 0 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 0 inspect application la yer, 0 are decoder event only
There is a valid error but the error msg is not correct - pcre_copy_substring failed - as there is no pcre inside the rule.
Updated by Victor Julien over 9 years ago
The message is technically correct. Prce is used for parsing rules. It's not a very clear message for users though.
Updated by Peter Manev over 9 years ago
Yes - it confused me with the msg being with regards to a pcre expression in the rule itself.
Updated by Andreas Herz over 8 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Victor Julien about 6 years ago
- Assignee changed from OISF Dev to Anonymous
- Effort set to low
- Difficulty set to low
Updated by Shivani Bhardwaj over 5 years ago
I think this is sorted then. Should be closed?
Actions