PHPIDS regex cannot be compiled

[GoogleCodeExporter]

Hi,

With the latest PHPIDS rules, I get the following error with Scalp (Python
version):

The rule
(?:union\s*(?:all|distinct|[(!@]*)?\s*[([]\s*select)|(?:\w+\s+like\s+\")|(?:like
\s*"\%)|(?:"\s*like\W*["\d])|(?:"\s*(?:n?and|x?or|not
|\|\||\&\&)\s+[\s\w]+=\s*\w+\s*having)|(?:"\s*\*\s*\w+\W+")|(?:"\s*[^?\w\s=.,;)(
]+\s*[(@]*\s*\w+\W+\w)|(?:select\s*[\[\]()\s\w\.,-]+from)]]
cannot be compiled properly

The rules are a bit too complex for me to try debugging :) For now, I've
just removed this rule from the filter file. 

Is there an easy way to make it compile with Scalp?

Thanks

Original issue reported on code.google.com by krier....@skynet.be on 18 Apr 2009 at 8:12

[GoogleCodeExporter]

The regexp is quite complex yeah, I cannot really help you but saying that I 
believe
the regexp is not well formed. Just a simple fact, the parenthesis don't match.

Did you try with the php-ids engine to see if it was compiling correctly -- 
which I
double? If not, you might want to report it there.

I still leave this issue open since I'm not sure what the problem exactly is.

Original comment by romain.g...@gmail.com on 24 Apr 2009 at 2:15

[GoogleCodeExporter]

Original comment by romain.g...@gmail.com on 24 Apr 2009 at 2:18

• Added labels: Usability

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

same thing still happening

Original comment by chrisg8...@gmail.com on 26 Jul 2009 at 8:38

[GoogleCodeExporter]

Remove the bloc lines numbered 45, and it will work.
This kind of regexp are hardley readable...

Original comment by stephane...@gmail.com on 28 Dec 2009 at 5:38

[GoogleCodeExporter]

fgeek@example:~$ ./scalp-0.4.py -l sites/example.org/log/access.log 
error: the filters file (XML) doesn't exist
please download it at 
https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml

File default_filter.xml still has that regexp and should be removed/changed.

b9a147a93ade7540982ba792e54cc8a6a427a9d1  default_filter.xml
dd4c6a2800e7ebb135a61526a88c231901cf5599  scalp-0.4.py

Original comment by he...@nerv.fi on 1 Jul 2010 at 5:37

[GoogleCodeExporter]

IWFM: Removed filter id 44,45,46 from .xml 

Original comment by depeche....@gmail.com on 30 Aug 2010 at 8:09

[GoogleCodeExporter]

I've found a few links to this in the historical updates wiki ( trac ) which 
show this section changing in rule 45: 
"<id>45</id><rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)\s*[([]*\s*select)|
(?:\w+\s+like\s+\"

I've found that there are versions with "(!@]*)?\s*" and "(!@]*)*\s*", but 
older versions have "(!@]*)\s*".

I've found that the last version permits it to compile and run fine ( although 
the developers must be seeing some misidentification or they wouldn't fix it.. 
;-)

HTH, tom.

Original comment by tom.cle...@gmail.com on 25 Oct 2010 at 3:27

[GoogleCodeExporter]

Number 73 '(?i:(\%SYSTEMROOT\%))' doesn't compile either.

Original comment by m...@elundmark.se on 6 Jan 2013 at 12:14

[GoogleCodeExporter]

The most up to date file is here:

https://raw.github.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.xml

Original comment by da...@codenoevil.com on 5 Sep 2013 at 3:42