Bug #49
closedAtomic Grouping needs to be updated for PARSE_REGEX in detect-pcre.c to allow for matches ending with \\
Description
The second atomic grouping "(?<!\\\\)" in the regex below prevents pcre matches ending in "\\" to be parsed.
#define PARSE_REGEX "(?<!\\\\)/(.*)(?<!\\\\)/([^\"]*)"
This e-mail was sent to the oisf-devel list.
Hi,
During my test, I have a pcre error with this signature:
alert tcp any any > any any (msg:"test7"; pcre:"/\\/"; classtype:policy-violation; sid:987654321; rev:1;) 09:58:46 - (detect.c:327) <Info> (SigLoadSignatures) -- Loading rule file: test.rules
It's a simplified signature for demonstrated pcre error. (this signature work with snort)
suricata error:
[3834] 5/1/2010 -
[3834] 5/1/2010 -- 09:58:46 - (detect-parse.c:811) <Error> (SigInitReal) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(19)] - Signature init failed "alert tcp any any -> any any (msg:"test7"; pcre:"/\\/"; classtype:policy-violation; sid:987654321; rev:1;)
suricata cmd line starting:
./suricata080beta -c suricata.yaml -r test.pcap --init-errors-fatal
If I replace "\\" to "\x7C" it's work.
Regards
Rmkml
Files
Updated by Victor Julien over 14 years ago
- Due date changed from 01/10/2010 to 03/13/2010
- Target version changed from 0.8.1 to 0.8.2
Updated by Victor Julien over 14 years ago
- Due date changed from 03/13/2010 to 04/16/2010
- Assignee changed from OISF Dev to Pablo Rincon
- Priority changed from Normal to High
Updated by Pablo Rincon over 14 years ago
- File 0001-Fix-redmine-issue-49-allow-pcre-to-end-a-pattern-wit.patch 0001-Fix-redmine-issue-49-allow-pcre-to-end-a-pattern-wit.patch added
- Status changed from New to Assigned
- % Done changed from 0 to 90
Done, I changed the regex to "(?<!\\\\)/(.*(?<!(?<!\\\\)\\\\))/([^\"]*)"
It might look ugly but the idea is that we allow an ending slash only if the previous char is an slash too. So we do not allow a regex like pcre:"/hi\/" (because it cannot scape the closing slash), but we do allow pcre:"/hi\\/" (or just as the first example "/\\/").
I also added unit tests for parsing, and matching.
Updated by Victor Julien over 14 years ago
- Status changed from Assigned to Closed
- % Done changed from 90 to 100
Applied, thanks Pablo.