Re: [Snort-users] PCRE problem with some security policy rules

["Russ Combs \(rucombs\) via Snort-sigs" <snort-sigs () lists snort org>]

The problem is apparently somewhere else.  java= is not in the rule you
identified.  And ?java=[0-9]{2,6}$ doesn¹t appear in any recent text rule.

Also sid:23805 is in browser-webkit.rules in the 29130 snapshot, not
exploit-kit.rules.  Which rule set are you using?

Just a guess, but maybe the rules you have installed are somehow borked.
Did you try downloading and reinstalling?


On 8/1/19, 9:31 PM, "Snort-sigs on behalf of Joel Esler (jesler) via
Snort-sigs" <snort-sigs-bounces () lists snort org on behalf of
snort-sigs () lists snort org> wrote:

> Adding in snort-sigs, where signatures questions should live.
>
> We¹ll have a look here. Thanks
>
> Sent from my • iPhone
>
> > On Aug 1, 2019, at 14:01, clemence.roulin--- via Snort-users
> > <snort-users () lists snort org> wrote:
> >
> >
> > Hello,
> > I'm using Snort 2.9.13 on Centos7 with the registered Talos rules. With
> > the default rules, Snort runs just fine but didn't raise many alerts so
> > we decided to switch to the security-ips policy. When using the rules
> > from this policy, Snort fails to start, displaying errors always linked
> > to PCRE.
> > Here is an example of what Snort says (shortened):
> >  
> >  
> > snort -d -l /var/log/snort/ -c /etc/snort/snort.conf -k none
> > Running in IDS mode
> >  
> > --== Initializing Snort ==--
> > Initializing Output Plugins!
> > Initializing Preprocessors!
> > Initializing Plug-ins!
> > Parsing Rules file "/etc/snort/snort.conf"
> > ...
> > ...
> > ...
> > Reputation config:
> > WARNING: Can't find any whitelist/blacklist entries. Reputation
> > Preprocessor disabled.
> >  
> > +++++++++++++++++++++++++++++++++++++++++++++++++++
> > Initializing rule chains...
> > ERROR: /etc/snort/rules/exploit-kit.rules(130) : pcre compile of
> > "?java=[0-9]{2,6}$" failed at offset 0 : nothing to repeat
> > Fatal Error, Quitting..
> >  
> >  
> >  
> > The rule in question, from exploit-kit.rules :
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
> > (msg:"BROWSER-WEBKIT WebKit button column memory corruption attempt";
> > flow:to_ client,established; file_data; content:"-webkit-column-span";
> > fast_pattern; nocase; content:"document.documentElement.offsetTop"; d
> > istance:0; 
> > pcre:"/(functions+(?P<function>[a-z0-9_-]+)()s*{.*?(?P<div>[a-z0-9_-]+)s*
> > =s*document.createElement('div')x3b.*?(?P=div).
> > style['-webkit-column-span']s*=s*'all'x3b.*?document.getElementById("(?P<
> > button>[a-z0-9_-]+)").appendChild((?P=div))x3b.*?document.
> > documentElement.offsetTopx3b.*?<body[^>]*?onloads*=s*"(?P=function)()"[^>
> > ]*?>.*?<button[^>]*?ids*=s*"(?P=button)"[^>]*?styles*=s*"[
> > ^"]*?-webkit-column-widthx3a1px"[^>]*?>)|(<style>.*?{s*-webkit-column-spa
> > nx3as*allx3b.*?functions+(?P<function2>[a-z0-9_-]+)()s*{.*
> > ?(?P<div2>[a-z0-9_-]+)*s*=s*document.createElement('div')x3b.*?(?P<button
> > 2>[a-z0-9_-]+)s*=s*document.createElement('button')x3b.*?d
> > ocument.documentElement.appendChild((?P=button2))x3b.*?(?P=button2).appen
> > dChild((?P=div2)).*?document.documentElement.offsetTopx3b) /smi";
> > metadata:policy max-detect-ips drop, policy security-ips drop, service
> > http; reference:bugtraq,54680; reference:cve,2012-152 0;
> > classtype:attempted-user; sid:23805; rev:8;)
> >  
> > I had PCRE 8.32 when it started, so updated it to PCRE 8.43 which
> > seemed to be the most recent version, but the errors remain. I have put
> > it through pcretest, and have the same error so the problem definitely
> > comes from the PCRE pattern and not any other part of the rules. I have
> > downloaded the rules directly from the snort.org website, and tried to
> > download it again to check if it wasn't due to the file being corrupted
> > while downloaded, but it's not.
> > I tried to comment out this rule, but many more have similar problems,
> > for example this other rule where the PCRE parser fails, also from
> > exploit-kit.rules :
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT
> > Whitehole exploit kit malicious jar download attempt"; flow:
> > to_server,established; content:"?java="; fast_pattern:only; http_uri;
> > pcre:"/?java=[0-9]{2,6}$/U"; flowbits:set,file.exploit_kit.ja r;
> > metadata:impact_flag red, policy balanced-ips drop, policy
> > max-detect-ips drop, policy security-ips drop, service http; referenc
> > e:cve,2011-3544; reference:cve,2012-1723; reference:cve,2012-4681;
> > reference:cve,2012-5076; reference:cve,2013-0422; reference:cve,
> > 2013-1493; reference:cve,2013-2423;
> > reference:url,malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-e
> > xploit-kit-hello.html; classtype:trojan-activity; sid:25804; rev:5;
> > Some rules also work fine while containing PCRE patterns.
> >  
> > Are the weird rules basing their PCRE patterns on another version of
> > PCRE ? Or is the problem somewhere else ?
> > Thank you
> >
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists snort org
> > Go to this URL to change user options or unsubscribe:
> > https://lists.snort.org/mailman/listinfo/snort-users
> >
> >    To unsubscribe, send an email to:
> >    snort-users-leave () lists snort org
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
> >
> > Please follow these rules:
> > https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!