[Snort-users] Recent changes to SNORT rulesets regarding PCRE syntax.

Robert Cotter Robert.Cotter at ...16102...
Mon Feb 18 15:54:23 EST 2013

I noticed that on/about 14th February that some rules were changed to now use some newer PCRE commands/syntax that can crash SNORT depending on your version of PCRE libraries installed.

The problem only appears to occur if you have enabled any of the following rules.

./rules/server-mail.rules: sid:16193
./rules/browser-ie.rules: sid:25773
./rules/os-windows.rules: sid:13270
./rules/os-windows.rules: sid:18171
./rules/os-windows.rules: sid:13269
./rules/os-windows.rules: sid:13271
./rules/os-windows.rules: sid:15684
./rules/os-windows.rules: sid:13272
./rules/os-windows.rules: sid:18172

This is the error message .

ERROR: /var/appliedwatch/agent/data/agent.1/var/snort/policy/etc/../rules/browser-ie.rules(47) : pcre compile of "var\s*?(?<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path" failed at offset 10 : unrecognized character after (?<
Fatal Error, Quitting..

It appears that the old method of having a '(?P<' instead of the newer '(?<' syntax has trigger the issue.

Anyone else seen this ?

There is no version dependency on the snort.org website


except a link to pcre.org which only has  a link to the latest version, being 8.32.

Anyone else been impacted by this?????

What's the minimum version of PCRE is required to support this syntax ? Best I can find is that support for this was in 5.005 which is a lot older than the version of PCRE I am currently running.


Robert Cotter
Sales Engineer APAC

robert.cotter at ...16102... <mailto:robert.cotter at ...16102...>
DDI: +64 9 926 2931 Mob: +64 21 67 5550
LinkedIn: Robert Cotter<http://nz.linkedin.com/pub/robert-cotter/4/3b/9a8>; Skype: endace.robert.cotter<skype:endace.robert.cotter?add>

Level 2, Building A
600 Great South Road
Ellerslie, Auckland 1051, New Zealand

www.endace.com<http://www.endace.com/>; LinkedIn<http://www.linkedin.com/companies/endace>; follow us on Twitter<http://twitter.com/endace>

power to see all

This email (including any attachments) is intended to be read by the named recipient(s) only. If the email wasn't addressed to you, you mustn't use, distribute or copy any part of it. If you've received it in error please delete it (along with any attachments) and inform us of the error. Emails aren't secure and can't be guaranteed to be error free as they can be intercepted, amended, lost or destroyed. It's your responsibility to check this email and any attachments for viruses. These risks are deemed accepted by everyone that communicates with us by email.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130218/75954029/attachment.html>

More information about the Snort-users mailing list