Suricata

This was an odd discovery.

If a PCRE rule has a relative match ending in /R, the rule fails to load (runtime error), even if the rule occurs after a byte_jump. The error given is "pcre with /R (relative) needs preceding match in the same buffer".

My guess is that lines 1010-1011 in detect-pcre.c could include:

SigMatch prev_pm = DetectGetLastSMByListPtr(s, sm->prev,
            DETECT_CONTENT, DETECT_PCRE, *DETECT_BYTEJUMP , -1);

Possibly other detection types also move the detection pointer and could be added to this list (I'm not sure if other byte_extract/byte_math/etc rules update the detection pointer?).

(And yes I realize that pcre without any content check is an expensive operation; but I was playing with a rule that uses a flowbit and byte_test to determine that the pcre execution is warranted).