Project

General

Profile

Actions

Bug #697

closed

ERRCODE: SC_ERR_PCRE_MATCH with IPv6 address/subnet with suppress rule

Added by Jamie Strandboge almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Suppress rules like the following:
suppress gen_id 1, sig_id <id>, track by_dst, ip fe80::/16

fail with the following:
6/1/2013 -- 10:02:28 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , track by_dst, ip fe80::/16

This is because DETECT_SUPPRESS_REGEX is only valid for IPv4 addresses:
#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\d.:/]+)*\\s*$"

Adjusting this to the following seems to fix the issue:
#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\da-f.:/]+)*\\s*$"

I used '[\\da-f.:/]+'. Could also probably use '[[:xdigit:].:/]+' but OTOH I wasn't sure if that would allow A-F and how suricata would handle addresses with upper case if it did.


Files

fix-ipv6-suppress.patch (873 Bytes) fix-ipv6-suppress.patch Jamie Strandboge, 01/06/2013 11:18 AM
Actions

Also available in: Atom PDF