Bug #40
closedpcre rule parsing issue
Description
After small testing, I have a small question with this signature:
alert tcp any any > any any (msg:"test"; pcre:!"/MODE/m"; sid:987654321; rev:1;) 18:52:58 - (detect.c:327) <Info> (SigLoadSignatures) -- Loading rule file: /home/test/snort/rules/chat2.rules
If I start suricata:
./suricata080beta -c suricata.yaml -r test.pcap --init-errors-fatal
...
[14876] 2/1/2010 -
DetectPcreParse: unknown regex modifier '/'
[14876] 2/1/2010 -- 18:52:58 - (detect-parse.c:811) <Error> (SigInitReal)
-- [ERRCODE: SC_ERR_INVALID_SIGNATURE(19)] - Signature init failed "alert tcp any any -> any any (msg:"test"; pcre:!"/MODE/m"; sid:987654321; rev:1;)
I have same pb with signature variant:
alert tcp any any -> any any (msg:"test"; pcre:!"/MODE/i"; sid:987654321; rev:1;)
Files
Updated by Will Metcalf almost 15 years ago
- Due date set to 02/13/2010
- Estimated time changed from 1.00 h to 2.50 h
This affects us loading valid VRT and emerging rules. Anybody want to grab this one?
Updated by Jason Ish almost 15 years ago
- Assignee changed from OISF Dev to Jason Ish
Updated by Jason Ish almost 15 years ago
- File 0001-supply-pcre_get_substring-with-the-proper-start-of-t.patch 0001-supply-pcre_get_substring-with-the-proper-start-of-t.patch added
- Status changed from New to Resolved
Updated by Victor Julien almost 15 years ago
- Status changed from Resolved to Closed
Patch applied, thanks Jason.