Rule updating broken? after upgrade from 7.0.9 to 7.0.11 (suricata-update 1.3.4 to 1.3.6)

I am running Suricata version 7.0.9 on RHEL 9.4 installed from a self-.packaged rpm (I am following the “official” spec file). Now when I upgrade to 7.0.11 the upgrade script is unable to parse the regexes in the enable.conf file (verbose log does not show any regexes parsed) and thus not loading any rules as my disable.conf contains re:^.*.

When I revert back to 7.0.9 the regexes are shown to be loaded in verbose mode (suricata-update -v …).

One sample regex that fails is (I am simplifying it as there are a lot more sids in the actual regex):

re:^.+\(msg:\”(ET|ETPRO)\s+(CURRENT|MALWARE|MOBILE_MALWARE|TROJAN|CNC|ACTIVEX|WORM|NETBIOS|USER_AGENTS).+\s+sid:\s?(?!(2026850|2809199);).*$

when I change it to

re:^.+\(msg:\”(ET|ETPRO)\s+(CURRENT|MALWARE|MOBILE_MALWARE|TROJAN|CNC|ACTIVEX|WORM|NETBIOS|USER_AGENTS).*$

it will be loaded by both suricata-update 1.3.4 and 1.3.6.

Can anyone please confirm that this is not a local issue and something has changed in rule inclusion/exclusion regex parsing between 1.3.4 and 1.3.6. If it is confirmed and I can rule out having not messed up the rpm and the issue is real I can move to submitting a bug report. Thank you all!

Do you have some rules (don’t paste pro rules) that you expect this to match on? I’m not having it match on any rule using S-U 1.3.4. I do not see it loading in 1.3.6 either, investigating.

Yes, these appears to be a bug introduced in 1.3.5.

Ticket: Bug #7922: rules: some regular expressions matchers fail to be picked up as regular expression matches - Suricata-Update - Open Information Security Foundation

Hi! Any updates on this ? Currently facing the same issue. Would be great to know an expected date for the new version, to consider a workaround. Thanks!

It’ll be part of our next patch release. Earlier if you want to pull from the suricata-update repo directly, but that is not ready yet either.