Suricata

The http_host buffer is normalized to be all lower case. However, the validation for PCREs applied to this buffer does not allow for (valid) upper case letters to be used in escaped hex-encoding (\xhh). Example rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"suricata TLD in HTTP Host"; flow:established, to_server; content:"|2E|suricata"; http_host; pcre:"/\x2Esuricata$/W"; priority: 5; sid:1231;)

Generates this alert:

<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre host("W") specified has an uppercase char. Since the hostname buffer we match against is actually lowercase, please specify an all lowercase based pcre.

Changing the PCRE to have '\x2e' instead of '\x2E' works:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"suricata TLD in HTTP Host"; flow:established, to_server; content:"|2E|suricata"; http_host; pcre:"/\x2esuricata$/W"; priority: 5; sid:1231;)