[Snort-users] Recent changes to SNORT 2.9.4.0 rulesets regarding PCRE syntax.

Joel Esler jesler at ...1935...
Thu Feb 21 11:15:12 EST 2013


Okay, so end result it that this pcre was missing a letter in the named capture.  I've fixed this problem and it will ship today.

That being said, named captures were introduced way back in pcre 4.0.  So you need to be running at least that, but I suggest you upgrade your pcre to the latest version that is available.  (That's generally what I recommend anyway!)  The only rule that had an issue was "25773"  The other rules referenced in the email below didn't have an issue, just looks like a grep for similar structures.  But with different functionality.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Feb 20, 2013, at 10:45 PM, Joel Esler <jesler at ...1935...> wrote:

> Yup.  I need to gather a few facts. Then I'll blog it or something. But for now, everyone, upgrade your pcre!
> 
> --
> Joel Esler
> Sent from my iPhone 
> 
> On Feb 20, 2013, at 6:22 PM, Robert Cotter <Robert.Cotter at ...16102...> wrote:
> 
>> I suspect based on recent emails from VRT support that we will be seeing an announcement from VRT sometime soon on the solution to this issue as it relates to the version of the PCRE library being used on the platform.
>>  
>> Regards
>>  
>> -- 
>> Robert Cotter
>> Sales Engineer APAC
>> 
>> robert.cotter at ...16102... 
>> DDI: +64 9 926 2931 Mob: +64 21 67 5550 
>> LinkedIn: Robert Cotter; Skype: endace.robert.cotter 
>> 
>> Level 2, Building A
>> 600 Great South Road
>> Ellerslie, Auckland 1051, New Zealand
>> 
>> www.endace.com; LinkedIn; follow us on Twitter
>> 
>> power to see all
>> 
>> This email (including any attachments) is intended to be read by the named recipient(s) only. If the email wasn’t addressed to you, you mustn’t use, distribute or copy any part of it. If you’ve received it in error please delete it (along with any attachments) and inform us of the error. Emails aren’t secure and can’t be guaranteed to be error free as they can be intercepted, amended, lost or destroyed. It’s your responsibility to check this email and any attachments for viruses. These risks are deemed accepted by everyone that communicates with us by email.
>>  
>>  
>> From: Stark, Vernon L. [mailto:Vernon.Stark at ...383...] 
>> Sent: Thursday, 21 February 2013 3:52 a.m.
>> To: snort-users at lists.sourceforge.net
>> Cc: Robert Cotter
>> Subject: FW: [Snort-users] Recent changes to SNORT 2.9.4.0 rulesets regarding PCRE syntax.
>>  
>> I’ve seen this with rules for version 2.9.3.1.  The rule I’ve had trouble with is one you list, sid:25773.  The error message I get is as follows.
>>  
>> FATAL ERROR: /etc/snort/rules/VRT-browser-ie.rules(120) : pcre compile of "var\s*?(?<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path" failed at offset 10 : unrecognized character after (?<
>>  
>> Vern
>>  
>> From: Robert Cotter [mailto:Robert.Cotter at ...16102...] 
>> Sent: Monday, February 18, 2013 3:54 PM
>> To: snort-users at lists.sourceforge.net
>> Subject: [Snort-users] Recent changes to SNORT 2.9.4.0 rulesets regarding PCRE syntax.
>>  
>> I noticed that on/about 14th February that some rules were changed to now use some newer PCRE commands/syntax that can crash SNORT depending on your version of PCRE libraries installed.
>>  
>> The problem only appears to occur if you have enabled any of the following rules.
>>  
>> ./rules/server-mail.rules: sid:16193
>> ./rules/browser-ie.rules: sid:25773 
>> ./rules/os-windows.rules: sid:13270
>> ./rules/os-windows.rules: sid:18171
>> ./rules/os-windows.rules: sid:13269
>> ./rules/os-windows.rules: sid:13271
>> ./rules/os-windows.rules: sid:15684
>> ./rules/os-windows.rules: sid:13272
>> ./rules/os-windows.rules: sid:18172
>>  
>> This is the error message .
>>  
>> ERROR: /var/appliedwatch/agent/data/agent.1/var/snort/policy/etc/../rules/browser-ie.rules(47) : pcre compile of "var\s*?(?<m1>\w+)s*?=s*?document.createElement\s*?\([\x22\x27][\w]s*?[\x3a\x3b]\s*?shape[\x22\x27]\).*?(?P=m1)s*?.\s*?setAttribute\s*?\(\s*?[\x22\x27]\s*?path\s*?[\x22\x27]\s*?,\s*?[\x22\x27][^\x29]{506}.*?(?P=m1)\.s*?path" failed at offset 10 : unrecognized character after (?<
>> Fatal Error, Quitting..
>>  
>> It appears that the old method of having a ‘(?P<’ instead of the newer ‘(?<’ syntax has trigger the issue.
>>  
>> Anyone else seen this ?
>>  
>> There is no version dependency on the snort.org website
>>  
>> http://www.snort.org/start/requirements
>>  
>> except a link to pcre.org which only has  a link to the latest version, being 8.32.
>>  
>> Anyone else been impacted by this?????
>>  
>> What’s the minimum version of PCRE is required to support this syntax ? Best I can find is that support for this was in 5.005 which is a lot older than the version of PCRE I am currently running.
>>  
>>  
>>  
>>  
>> Regards
>>  
>> -- 
>> Robert Cotter
>> Sales Engineer APAC
>> 
>> robert.cotter at ...16102... 
>> DDI: +64 9 926 2931 Mob: +64 21 67 5550 
>> LinkedIn: Robert Cotter; Skype: endace.robert.cotter 
>> 
>> Level 2, Building A
>> 600 Great South Road
>> Ellerslie, Auckland 1051, New Zealand
>> 
>> www.endace.com; LinkedIn; follow us on Twitter
>> 
>> power to see all
>> 
>> This email (including any attachments) is intended to be read by the named recipient(s) only. If the email wasn’t addressed to you, you mustn’t use, distribute or copy any part of it. If you’ve received it in error please delete it (along with any attachments) and inform us of the error. Emails aren’t secure and can’t be guaranteed to be error free as they can be intercepted, amended, lost or destroyed. It’s your responsibility to check this email and any attachments for viruses. These risks are deemed accepted by everyone that communicates with us by email.
>>  
>>  
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_d2d_feb
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130221/ecbb9518/attachment.html>


More information about the Snort-users mailing list