Project

General

Profile

Actions

Bug #7987

open

pcre with relative match fails after byte_jump

Added by Reid Wightman about 16 hours ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This was an odd discovery.

If a PCRE rule has a relative match ending in /R, the rule fails to load (runtime error), even if the rule occurs after a byte_jump. The error given is "pcre with /R (relative) needs preceding match in the same buffer".

My guess is that lines 1010-1011 in detect-pcre.c could include:

SigMatch prev_pm = DetectGetLastSMByListPtr(s, sm->prev,
DETECT_CONTENT, DETECT_PCRE, *DETECT_BYTEJUMP
, -1);

Possibly other detection types also move the detection pointer and could be added to this list (I'm not sure if other byte_extract/byte_math/etc rules update the detection pointer?).

(And yes I realize that pcre without any content check is an expensive operation; but I was playing with a rule that uses a flowbit and byte_test to determine that the pcre execution is warranted).

No data to display

Actions

Also available in: Atom PDF