Project

General

Profile

Actions

Bug #737

closed

reference parsing - rules

Added by Peter Manev almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

[9898] 28/1/2013 -- 14:47:39 - (detect-reference.c:128) <Error> (DetectReferenceParse) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string nikto-scans

[9898] 28/1/2013 -- 14:47:39 - (detect.c:348) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"HTTP requests tests - sid 8000001 , pcap - 8000001 ";   content:"GET"; http_method; content:"/cgi-bin/cart32.exe"; http_uri; uricontent:"/cgi-bin/cart32.exe";   reference:nikto-scans; sid:8000001; rev:1;)" from file /root/Work/Python/Scripts/test45/8000001.rules at line 1

notice the wrong use of
reference:nikto-scans;
instead of
reference:url, www.webaddress.com;

the output err says:
[ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string nikto-scans
but that is misleading - it is not a pcre expression.

Actions

Also available in: Atom PDF