PHPIDS regex cannot be compiled about apache-scalp HOT 10 OPEN

The regexp is quite complex yeah, I cannot really help you but saying that I 
believe
the regexp is not well formed. Just a simple fact, the parenthesis don't match.

Did you try with the php-ids engine to see if it was compiling correctly -- 
which I
double? If not, you might want to report it there.

I still leave this issue open since I'm not sure what the problem exactly is.

[deleted comment]

same thing still happening

Remove the bloc lines numbered 45, and it will work.
This kind of regexp are hardley readable...

fgeek@example:~$ ./scalp-0.4.py -l sites/example.org/log/access.log 
error: the filters file (XML) doesn't exist
please download it at 
https://svn.php-ids.org/svn/trunk/lib/IDS/default_filter.xml

File default_filter.xml still has that regexp and should be removed/changed.


b9a147a93ade7540982ba792e54cc8a6a427a9d1  default_filter.xml
dd4c6a2800e7ebb135a61526a88c231901cf5599  scalp-0.4.py

IWFM: Removed filter id 44,45,46 from .xml 

I've found a few links to this in the historical updates wiki ( trac ) which 
show this section changing in rule 45: 
"<id>45</id><rule><![CDATA[(?:union\s*(?:all|distinct|[(!@]*)\s*[([]*\s*select)|
(?:\w+\s+like\s+\"

I've found that there are versions with "(!@]*)?\s*" and "(!@]*)*\s*", but 
older versions have "(!@]*)\s*".

I've found that the last version permits it to compile and run fine ( although 
the developers must be seeing some misidentification or they wouldn't fix it.. 
;-)

HTH, tom.

Number 73 '(?i:(\%SYSTEMROOT\%))' doesn't compile either.

The most up to date file is here:

https://raw.github.com/PHPIDS/PHPIDS/master/lib/IDS/default_filter.xml