Can't parse Snort rule with error: rpc error: code = Unknown desc = invalid special characters escaping

[JessieQX]

I use the version github.com/google/gonids v0.0.0-20211022205232-4d00a2956aaa, and when using function gonids.ParseRule(resp.Snort) to parse our Snort rule, it returns error "rpc error: code = Unknown desc = invalid special characters escaping". The Snort rule has some special characters such as "/(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P". Could you help with it? Thanks.

[duanehoward]

@JessieQX Unfortunately, I'm not going to have time to debug this and update the code for a while, this project has had to take a bit of a back seat to other things at the moment. I may be able to review a pull request if you can provide it, however.

I also suspect that what you've provided here is insufficient to accurately debug your issue.
To the best of my knowledge

• the rpc error: code = bit comes from your own code (this library has no RPC related components)
• the Unknown desc probably referring to the rule Description is not found in our code base so I suspect that's also in your client code.

The error invalid special character escaping message is in our code however it refers to validation of a Content The text with special characters that you've provided here looks like a PCRE and not a Content

Without the full rule, it'll be hard to diagnose further, it's also worth noting that if you're using any newer Snort features those won't be supported here. We support most of the old Snort 2 language, and Suricata up through 5.x (and probably newer but I haven't tested).

If you can provide a complete rule that triggers this error, that could be helpful.