Project

General

Profile

Actions

Bug #40

closed

pcre rule parsing issue

Added by Victor Julien almost 15 years ago. Updated almost 15 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

After small testing, I have a small question with this signature:
alert tcp any any > any any (msg:"test"; pcre:!"/MODE/m"; sid:987654321; rev:1;)
If I start suricata:
./suricata080beta -c suricata.yaml -r test.pcap --init-errors-fatal
...
[14876] 2/1/2010 -
18:52:58 - (detect.c:327) <Info> (SigLoadSignatures) -- Loading rule file: /home/test/snort/rules/chat2.rules
DetectPcreParse: unknown regex modifier '/'
[14876] 2/1/2010 -- 18:52:58 - (detect-parse.c:811) <Error> (SigInitReal)
-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(19)] - Signature init failed "alert tcp any any -> any any (msg:"test"; pcre:!"/MODE/m"; sid:987654321; rev:1;)

I have same pb with signature variant:
alert tcp any any -> any any (msg:"test"; pcre:!"/MODE/i"; sid:987654321; rev:1;)


Files

Actions #1

Updated by Will Metcalf almost 15 years ago

  • Due date set to 02/13/2010
  • Estimated time changed from 1.00 h to 2.50 h

This affects us loading valid VRT and emerging rules. Anybody want to grab this one?

Actions #2

Updated by Jason Ish almost 15 years ago

  • Assignee changed from OISF Dev to Jason Ish
Actions #4

Updated by Victor Julien almost 15 years ago

  • Status changed from Resolved to Closed

Patch applied, thanks Jason.

Actions

Also available in: Atom PDF