Suricata

Originally reported by Will Metcalf.

<quote>
Given a http_response containing something like this it seems like maybe suricata won't search the rest of the buffer for another instance of a content match (in this case value) once we have failed pcre match. I'm using suricata-1.4.1.

<applet archive="favorite.jar" code="game.A.class" width="100" height="100">
<param name="T" value="fh.veryeronuebcf.rvyfry">
<param name="D" value="755d8b55f354b8194533c19af9486fa9">
<param name="V" value="favorite">

#works
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^((?!<\/applet>).)+[\r\n\s]value[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:999999; rev:2;)

#fails
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:322222; rev:2;)

#First Value Match Test Works
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"value"; nocase; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])fh\.veryeronuebcf\.rvyfry(?P=q1)/Rsi"; classtype:trojan-activity; sid:32932; rev:2;)

#fails
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible RedDotv2 applet with 32hex value Landing Page"; flow:established,from_server; file_data; content:"<applet"; nocase; content:"value"; nocase; distance:0; pcre:"/^[\r\n\s]*=[\r\n\s]*(?P<q1>[\x22\x27])[a-f0-9]{32}(?P=q1)/Rsi"; classtype:trojan-activity; sid:222222; rev:2;)
~

</quote>

Issue has been idenitified.