snort3: bump to 3.5.1.0

[Ansuel]

Bump snort3 to 3.5.1.0. Manually refresh the PCRE2 patch to latest
changes.

Signed-off-by: Christian Marangi [email protected]

[Ansuel]

@Neustradamus Since i see you love doing research I'm curious how much people are using downstream patch (and maybe mine) for PCRE2 in package repositories

[graysky2]

Had to make two modifications as detailed here. After that, snort seems to be functional.

Recommend merge.

Build system: x86/64
Build-tested: x86/64/AMD Cezanne
Run-tested: x86/64/AMD Cezanne

[Ansuel]

Honestly using pcre2_to_regex doesn't make sense and the compile error should be investigated... Would be good to have repro steps...

[graysky2]

@Ansuel - I PM'ed a few of the active snort users in the forums asking them to join the conversation (xxxx and efahl)

Had to make two modifications as detailed here. After that, snort seems to be functional.

To save time looking up that thread, these are the two changes I made to get this working:

1. In processing the raw rules, I have this step: sed -i 's/pcre:/pcre2:/g' snort.rules
2. I modified /etc/snort/local.lua as follows:

 detection = { 
        hyperscan_literals = true,
-       pcre_to_regex = true,
+       -- pcre_to_regex = true,
+       pcre2_to_regex = false,
 }

[efahl]

It still seems more appropriate to add wrappers in the API code so that the exported symbol names don't change (and thus the user defined lua-config files would need no modifications). The changes in an underlying library should not propagate into breaking changes in the config files (even if the original implementers of snort made the poor choice of using the underlying library's name in their public API).

[Ansuel]

@efahl this might be O.K. for trivial library/program, not for a security intrusion program where something silently changing might produce intrusion not detected.

I feel manual checkup is still needed. But yes needs to se... all the rename from pcre to pcre2 can be skipped but we need to discuss that.

[Neustradamus]

@Ansuel: Thanks for your PR!

@graysky2 is here :)

A discussion here about pcre vs pcre2:

• [RFT] core: convert project to PCRE2 snort3/snort3#326

[graysky2]

Upstream is actively working on this and thinking about the user experience (not changing configure files or tweaking rules). I do not know timing thought and since our snort package has not been updated since dropping pcre going back 5 months now, my recommendation is to merge this even though doing so will require users to make a few tweaks.