Actions
Bug #7987
openpcre with relative match fails after byte_jump
Affected Versions:
Effort:
Difficulty:
Label:
Description
This was an odd discovery.
If a PCRE rule has a relative match ending in /R, the rule fails to load (runtime error), even if the rule occurs after a byte_jump. The error given is "pcre with /R (relative) needs preceding match in the same buffer".
My guess is that lines 1010-1011 in detect-pcre.c could include:
SigMatch prev_pm = DetectGetLastSMByListPtr(s, sm->prev,
DETECT_CONTENT, DETECT_PCRE, *DETECT_BYTEJUMP , -1);
Possibly other detection types also move the detection pointer and could be added to this list (I'm not sure if other byte_extract/byte_math/etc rules update the detection pointer?).
(And yes I realize that pcre without any content check is an expensive operation; but I was playing with a rule that uses a flowbit and byte_test to determine that the pcre execution is warranted).
No data to display
Actions