Suricata PCRE issue

327 views
Skip to first unread message

Avi Rothschild

unread,
Sep 20, 2018, 7:56:54 AM9/20/18
to securit...@googlegroups.com
Hello,

I am looking for assistance on how to resolve the below issue using SecOnion. Every time I add a Suricata rule with PCRE, I get an error code. What am I missing here?
--------
Error:

18/9/2018 -- 10:41:00 - <Notice> - This is Suricata version 4.0.0 RELEASE
18/9/2018 -- 10:41:00 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec failed: ret -1, optstr "msg"ET WEB_SPECIFIC_APPS Apache Struts memberAccess inbound OGNL injection remote code execution attempt"; flow:to_server,established; content:"|23|_memberAccess"; fast_pattern:only; http_uri; content:"new "; nocase; http_uri; pcre:"/new\s+(java|org|sun)/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-11776; classtype:attempted-admin; sid:2026035;"
18/9/2018 -- 10:41:00 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any any -> any any (msg"ET WEB_SPECIFIC_APPS Apache Struts memberAccess inbound OGNL injection remote code execution attempt"; flow:to_server,established; content:"|23|_memberAccess"; fast_pattern:only; http_uri; content:"new "; nocase; http_uri; pcre:"/new\s+(java|org|sun)/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-11776; classtype:attempted-admin; sid:2026035;)" from file /etc/nsm/rules/local.rules at line 5589
18/9/2018 -- 10:41:01 - <Notice> - all 9 packet processing threads, 4 management threads initialized, engine started.
18/9/2018 -- 10:41:01 - <Notice> - Signal Received.  Stopping engine.
18/9/2018 -- 10:41:01 - <Notice> - Pcap-file module read 30470 packets, 1390038 bytes

--------
Thanks,
~Avi

Wes Lambert

unread,
Sep 20, 2018, 12:12:31 PM9/20/18
to securit...@googlegroups.com
Are you trying to modify or disable this signature?

What do you have in /etc/nsm/pulledpork/disablesid.conf|modifysid.conf?

Thanks,
Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.


--

Avi Rothschild

unread,
Sep 20, 2018, 1:39:10 PM9/20/18
to securit...@googlegroups.com
Wes,

Thank you for your reply. I am trying to add PCRE syntax rules in my "local.rules" file. I did check the .conf files you mentioned, but I am not sure how it might help me. Am I supposed to enable PCRE somewhere?

Thanks,
~Avi

Wes Lambert

unread,
Sep 20, 2018, 1:51:41 PM9/20/18
to securit...@googlegroups.com
Sorry, was trying to do too many things at once -- I see what you are referring to now.

I'll take a look.

Thanks,
Wes

Wes Lambert

unread,
Sep 20, 2018, 2:10:23 PM9/20/18
to securit...@googlegroups.com
Hi Avi,

Try using something like the following:

alert tcp any any -> any any (msg:"ET WEB_SPECIFIC_APPS Apache Struts memberAccess inbound OGNL injection remote code execution attempt"; flow:to_server,established; content:"|23|_memberAccess"; fast_pattern:only; http_uri; content:"new "; nocase; http_uri; pcre:"/new\s+(java|org|sun)/Ui"; metadata: former_category WEB_SPECIFIC_APPS; reference:cve,2018-11776; classtype:attempted-admin; sid:900001;)

Thanks,
Wes
Reply all
Reply to author
Forward
0 new messages