Project

General

Profile

Actions
Copy link

Bug #7987

open

pcre with relative match fails after byte_jump

Added by Reid Wightman 23 days ago. Updated 22 days ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

This was an odd discovery.

If a PCRE rule has a relative match ending in /R, the rule fails to load (runtime error), even if the rule occurs after a byte_jump. The error given is "pcre with /R (relative) needs preceding match in the same buffer".

My guess is that lines 1010-1011 in detect-pcre.c could include:

SigMatch prev_pm = DetectGetLastSMByListPtr(s, sm->prev,
            DETECT_CONTENT, DETECT_PCRE, *DETECT_BYTEJUMP , -1);

Possibly other detection types also move the detection pointer and could be added to this list (I'm not sure if other byte_extract/byte_math/etc rules update the detection pointer?).

(And yes I realize that pcre without any content check is an expensive operation; but I was playing with a rule that uses a flowbit and byte_test to determine that the pcre execution is warranted).

Actions
Copy link
 #1

Updated by Victor Julien 22 days ago

Can you provide a test case of what you're trying to do? It would help analyze the issue as well as be useful as a regression test case in our SV suite after a fix.

Actions
Copy link

Also available in: Atom PDF