Project

General

Profile

Actions

Bug #49

closed

Atomic Grouping needs to be updated for PARSE_REGEX in detect-pcre.c to allow for matches ending with \\

Added by Will Metcalf almost 15 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The second atomic grouping "(?<!\\\\)" in the regex below prevents pcre matches ending in "\\" to be parsed.

#define PARSE_REGEX "(?<!\\\\)/(.*)(?<!\\\\)/([^\"]*)"

This e-mail was sent to the oisf-devel list.

Hi,
During my test, I have a pcre error with this signature:
alert tcp any any > any any (msg:"test7"; pcre:"/\\/"; classtype:policy-violation; sid:987654321; rev:1;)
It's a simplified signature for demonstrated pcre error. (this signature work with snort)
suricata error:
[3834] 5/1/2010 -
09:58:46 - (detect.c:327) <Info> (SigLoadSignatures) -- Loading rule file: test.rules
[3834] 5/1/2010 -- 09:58:46 - (detect-parse.c:811) <Error> (SigInitReal) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(19)] - Signature init failed "alert tcp any any -> any any (msg:"test7"; pcre:"/\\/"; classtype:policy-violation; sid:987654321; rev:1;)
suricata cmd line starting:
./suricata080beta -c suricata.yaml -r test.pcap --init-errors-fatal
If I replace "\\" to "\x7C" it's work.
Regards
Rmkml


Files

Actions #1

Updated by Victor Julien almost 15 years ago

  • Due date changed from 01/10/2010 to 03/13/2010
  • Target version changed from 0.8.1 to 0.8.2
Actions #2

Updated by Victor Julien over 14 years ago

  • Due date changed from 03/13/2010 to 04/16/2010
  • Assignee changed from OISF Dev to Pablo Rincon
  • Priority changed from Normal to High
Actions #3

Updated by Pablo Rincon over 14 years ago

Done, I changed the regex to "(?<!\\\\)/(.*(?<!(?<!\\\\)\\\\))/([^\"]*)"
It might look ugly but the idea is that we allow an ending slash only if the previous char is an slash too. So we do not allow a regex like pcre:"/hi\/" (because it cannot scape the closing slash), but we do allow pcre:"/hi\\/" (or just as the first example "/\\/").
I also added unit tests for parsing, and matching.

Actions #4

Updated by Victor Julien over 14 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 90 to 100

Applied, thanks Pablo.

Actions

Also available in: Atom PDF