Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Recent changes to SNORT 2.9.4.0 rulesets regarding PCRE syntax.

From: Joel Esler <jesler () sourcefire com>
Date: Wed, 20 Feb 2013 22:45:11 -0500
Yup.  I need to gather a few facts. Then I'll blog it or something. But for now, everyone, upgrade your pcre!

--
Joel Esler
Sent from my iPhone 

On Feb 20, 2013, at 6:22 PM, Robert Cotter <Robert.Cotter () endace com> wrote:


I suspect based on recent emails from VRT support that we will be seeing an announcement from VRT sometime soon on 
the solution to this issue as it relates to the version of the PCRE library being used on the platform.
 
Regards
 
-- 
Robert Cotter
Sales Engineer APAC

robert.cotter () endace com 
DDI: +64 9 926 2931 Mob: +64 21 67 5550 
LinkedIn: Robert Cotter; Skype: endace.robert.cotter 

Level 2, Building A
600 Great South Road
Ellerslie, Auckland 1051, New Zealand

www.endace.com; LinkedIn; follow us on Twitter

power to see all

This email (including any attachments) is intended to be read by the named recipient(s) only. If the email wasn’t 
addressed to you, you mustn’t use, distribute or copy any part of it. If you’ve received it in error please delete it 
(along with any attachments) and inform us of the error. Emails aren’t secure and can’t be guaranteed to be error 
free as they can be intercepted, amended, lost or destroyed. It’s your responsibility to check this email and any 
attachments for viruses. These risks are deemed accepted by everyone that communicates with us by email.
 
 
From: Stark, Vernon L. [mailto:Vernon.Stark () jhuapl edu] 
Sent: Thursday, 21 February 2013 3:52 a.m.
To: snort-users () lists sourceforge net
Cc: Robert Cotter
Subject: FW: [Snort-users] Recent changes to SNORT 2.9.4.0 rulesets regarding PCRE syntax.
 
I’ve seen this with rules for version 2.9.3.1.  The rule I’ve had trouble with is one you list, sid:25773.  The error 
message I get is as follows.
 
FATAL ERROR: /etc/snort/rules/VRT-browser-ie.rules(120) : pcre compile of 
"var\s*?(?<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path"
 failed at offset 10 : unrecognized character after (?<
 
Vern
 
From: Robert Cotter [mailto:Robert.Cotter () endace com] 
Sent: Monday, February 18, 2013 3:54 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Recent changes to SNORT 2.9.4.0 rulesets regarding PCRE syntax.
 
I noticed that on/about 14th February that some rules were changed to now use some newer PCRE commands/syntax that 
can crash SNORT depending on your version of PCRE libraries installed.
 
The problem only appears to occur if you have enabled any of the following rules.
 
./rules/server-mail.rules: sid:16193
./rules/browser-ie.rules: sid:25773 
./rules/os-windows.rules: sid:13270
./rules/os-windows.rules: sid:18171
./rules/os-windows.rules: sid:13269
./rules/os-windows.rules: sid:13271
./rules/os-windows.rules: sid:15684
./rules/os-windows.rules: sid:13272
./rules/os-windows.rules: sid:18172
 
This is the error message .
 
ERROR: /var/appliedwatch/agent/data/agent.1/var/snort/policy/etc/../rules/browser-ie.rules(47) : pcre compile of 
"var\s*?(?<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path"
  failed at offset 10 : unrecognized character after (?<
Fatal Error, Quitting..
 
It appears that the old method of having a ‘(?P<’ instead of the newer ‘(?<’ syntax has trigger the issue.
 
Anyone else seen this ?
 
There is no version dependency on the snort.org website
 
http://www.snort.org/start/requirements
 
except a link to pcre.org which only has  a link to the latest version, being 8.32.
 
Anyone else been impacted by this?????
 
What’s the minimum version of PCRE is required to support this syntax ? Best I can find is that support for this was 
in 5.005 which is a lot older than the version of PCRE I am currently running.
 
 
 
 
Regards
 
-- 
Robert Cotter
Sales Engineer APAC

robert.cotter () endace com 
DDI: +64 9 926 2931 Mob: +64 21 67 5550 
LinkedIn: Robert Cotter; Skype: endace.robert.cotter 

Level 2, Building A
600 Great South Road
Ellerslie, Auckland 1051, New Zealand

www.endace.com; LinkedIn; follow us on Twitter

power to see all

This email (including any attachments) is intended to be read by the named recipient(s) only. If the email wasn’t 
addressed to you, you mustn’t use, distribute or copy any part of it. If you’ve received it in error please delete it 
(along with any attachments) and inform us of the error. Emails aren’t secure and can’t be guaranteed to be error 
free as they can be intercepted, amended, lost or destroyed. It’s your responsibility to check this email and any 
attachments for viruses. These risks are deemed accepted by everyone that communicates with us by email.
 
 
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: