[Snort-users] Problem with rule sid 33323

Guillaume Daleux guillaume.daleux at ...13827...
Fri Feb 20 12:28:26 EST 2015

Hello Patrick,

Yes I understand but I have some important deployment constraints and that is why I use a LTS release of CentOS. (which has full update until Q1 2014 and Maintenance updates until 2017. )

I found a workaround by repackaging the PCRE version provides in Centos 6.0 repository.



From: Patrick Mullen [mailto:pmullen at ...1935...]
Sent: February-20-15 11:34 AM
To: Guillaume Daleux
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Problem with rule sid 33323


While that rule could be modified to work on your system, the release date of CentOS 5.3 was April 2009 and your version of PCRE is from Feb 2006, which is a full nine years old.  This is an issue that is going to keep happening for you (in fact, I suspect that if you were to remove that rule, another rule would show itself as having a similar "parse error.").  I recommend updating your system to something modern, especially since it's a security device.



On Thu, Feb 19, 2015 at 9:59 AM, Guillaume Daleux <guillaume.daleux at ...13827...<mailto:guillaume.daleux at ...13827...>> wrote:
Hello all,

I have an error with rule sid 33323.

Error : failed at offset 3 : unrecognized character after (?<

Resolution : Update PCRE version (it works with PCRE version 7.8)

Bug details (debugging PCRE):
[root at ...17102... ~]# pcretest
PCRE version 6.6 06-Feb-2006

  re> "/(?<RS>\w+)\s?=\s?document\x2egetElementById\x28[\x22\x27]\w+[\x22\x27]\xx22\x27]\x29.*\k<RS>.DataSource\s?=\s?\k<OBJ>/smi"
Failed: unrecognized character after (?< at offset 4

Problem: I’m running CentOS  5.3 and the latest official PCRE version presents in the repository is 6.6

Question: Is there another way to write this rule and make it works without updating the PCRE version ?


Guillaume DALEUX

Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Patrick Mullen
Response Research Manager
Sourcefire VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150220/152bcc96/attachment.html>

More information about the Snort-users mailing list