[Snort-users] Problem with rule sid 33323

Patrick Mullen pmullen at ...1935...
Fri Feb 20 11:34:06 EST 2015


Guillaume,

While that rule could be modified to work on your system, the release date
of CentOS 5.3 was April 2009 and your version of PCRE is from Feb 2006,
which is a full nine years old.  This is an issue that is going to keep
happening for you (in fact, I suspect that if you were to remove that rule,
another rule would show itself as having a similar "parse error.").  I
recommend updating your system to something modern, especially since it's a
security device.


Thanks,

~Patrick

On Thu, Feb 19, 2015 at 9:59 AM, Guillaume Daleux <
guillaume.daleux at ...13827...> wrote:

>  Hello all,
>
>
>
> I have an error with rule sid 33323.
>
>
>
> *Error : *failed at offset 3 : unrecognized character after (?<
>
>
>
> *Resolution :* Update PCRE version (it works with PCRE version 7.8)
>
>
>
> *Bug details (debugging PCRE):*
>
> [root at ...17102... ~]# pcretest
>
> PCRE version 6.6 06-Feb-2006
>
>
>
>   re>
> "/(?<RS>\w+)\s?=\s?document\x2egetElementById\x28[\x22\x27]\w+[\x22\x27]\xx22\x27]\x29.*\k<RS>.DataSource\s?=\s?\k<OBJ>/smi"
>
> Failed: unrecognized character after (?< at offset 4
>
>
>
> *Problem:* I’m running CentOS  5.3 and the latest official PCRE version
> presents in the repository is 6.6
>
>
>
> *Question:* Is there another way to write this rule and make it works
> without updating the PCRE version ?
>
>
>
> Regards,
>
>
>
> Guillaume DALEUX
>
>
>
>
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
>
> http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>



-- 
Patrick Mullen
Response Research Manager
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150220/3960deb5/attachment.html>


More information about the Snort-users mailing list