ERRCODE: SC_ERR_PCRE_MATCH with IPv6 address/subnet with suppress rule
Suppress rules like the following:
suppress gen_id 1, sig_id <id>, track by_dst, ip fe80::/16
fail with the following:
6/1/2013 -- 10:02:28 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , track by_dst, ip fe80::/16
This is because DETECT_SUPPRESS_REGEX is only valid for IPv4 addresses:
#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\d.:/]+)*\\s*$"
Adjusting this to the following seems to fix the issue:
#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\da-f.:/]+)*\\s*$"
I used '[\\da-f.:/]+'. Could also probably use '[[:xdigit:].:/]+' but OTOH I wasn't sure if that would allow A-F and how suricata would handle addresses with upper case if it did.
Updated by Jamie Strandboge over 8 years ago
I submitted an updated patch using https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing_to_Suricata. Not sure if it was required for a patch of this size, but I also signed the contributor agreement.