Snort mailing list archives
Re: Problem with rule sid 33323
From: Guillaume Daleux <guillaume.daleux () abovesecurity com>
Date: Fri, 20 Feb 2015 17:28:26 +0000
Hello Patrick, Yes I understand but I have some important deployment constraints and that is why I use a LTS release of CentOS. (which has full update until Q1 2014 and Maintenance updates until 2017. ) I found a workaround by repackaging the PCRE version provides in Centos 6.0 repository. Regards, Guillaume From: Patrick Mullen [mailto:pmullen () sourcefire com] Sent: February-20-15 11:34 AM To: Guillaume Daleux Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] Problem with rule sid 33323 Guillaume, While that rule could be modified to work on your system, the release date of CentOS 5.3 was April 2009 and your version of PCRE is from Feb 2006, which is a full nine years old. This is an issue that is going to keep happening for you (in fact, I suspect that if you were to remove that rule, another rule would show itself as having a similar "parse error."). I recommend updating your system to something modern, especially since it's a security device. Thanks, ~Patrick On Thu, Feb 19, 2015 at 9:59 AM, Guillaume Daleux <guillaume.daleux () abovesecurity com<mailto:guillaume.daleux () abovesecurity com>> wrote: Hello all, I have an error with rule sid 33323. Error : failed at offset 3 : unrecognized character after (?< Resolution : Update PCRE version (it works with PCRE version 7.8) Bug details (debugging PCRE): [root@DEV ~]# pcretest PCRE version 6.6 06-Feb-2006 re> "/(?<RS>\w+)\s?=\s?document\x2egetElementById\x28[\x22\x27]\w+[\x22\x27]\xx22\x27]\x29.*\k<RS>.DataSource\s?=\s?\k<OBJ>/smi" Failed: unrecognized character after (?< at offset 4 Problem: I’m running CentOS 5.3 and the latest official PCRE version presents in the repository is 6.6 Question: Is there another way to write this rule and make it works without updating the PCRE version ? Regards, Guillaume DALEUX ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- Patrick Mullen Response Research Manager Sourcefire VRT
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problem with rule sid 33323 Guillaume Daleux (Feb 19)
- Re: Problem with rule sid 33323 Patrick Mullen (Feb 20)
- Re: Problem with rule sid 33323 Guillaume Daleux (Feb 20)
- Re: Problem with rule sid 33323 Patrick Mullen (Feb 20)