Bug #49
closedAtomic Grouping needs to be updated for PARSE_REGEX in detect-pcre.c to allow for matches ending with \\
Description
The second atomic grouping "(?<!\\\\)" in the regex below prevents pcre matches ending in "\\" to be parsed.
#define PARSE_REGEX "(?<!\\\\)/(.*)(?<!\\\\)/([^\"]*)"
This e-mail was sent to the oisf-devel list.
Hi,
During my test, I have a pcre error with this signature:
alert tcp any any > any any (msg:"test7"; pcre:"/\\/"; classtype:policy-violation; sid:987654321; rev:1;) 09:58:46 - (detect.c:327) <Info> (SigLoadSignatures) -- Loading rule file: test.rules
It's a simplified signature for demonstrated pcre error. (this signature work with snort)
suricata error:
[3834] 5/1/2010 -
[3834] 5/1/2010 -- 09:58:46 - (detect-parse.c:811) <Error> (SigInitReal) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(19)] - Signature init failed "alert tcp any any -> any any (msg:"test7"; pcre:"/\\/"; classtype:policy-violation; sid:987654321; rev:1;)
suricata cmd line starting:
./suricata080beta -c suricata.yaml -r test.pcap --init-errors-fatal
If I replace "\\" to "\x7C" it's work.
Regards
Rmkml
Files