Project

General

Profile

Actions

Bug #49

closed

Atomic Grouping needs to be updated for PARSE_REGEX in detect-pcre.c to allow for matches ending with \\

Added by Will Metcalf almost 15 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
High
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The second atomic grouping "(?<!\\\\)" in the regex below prevents pcre matches ending in "\\" to be parsed.

#define PARSE_REGEX "(?<!\\\\)/(.*)(?<!\\\\)/([^\"]*)"

This e-mail was sent to the oisf-devel list.

Hi,
During my test, I have a pcre error with this signature:
alert tcp any any > any any (msg:"test7"; pcre:"/\\/"; classtype:policy-violation; sid:987654321; rev:1;)
It's a simplified signature for demonstrated pcre error. (this signature work with snort)
suricata error:
[3834] 5/1/2010 -
09:58:46 - (detect.c:327) <Info> (SigLoadSignatures) -- Loading rule file: test.rules
[3834] 5/1/2010 -- 09:58:46 - (detect-parse.c:811) <Error> (SigInitReal) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(19)] - Signature init failed "alert tcp any any -> any any (msg:"test7"; pcre:"/\\/"; classtype:policy-violation; sid:987654321; rev:1;)
suricata cmd line starting:
./suricata080beta -c suricata.yaml -r test.pcap --init-errors-fatal
If I replace "\\" to "\x7C" it's work.
Regards
Rmkml


Files

Actions

Also available in: Atom PDF