How is it possible that suricata and mod_security use different values to evaluate insensitive expressions?
Within mod_security equivalent pcre for insensitive should be (as we can see on rx directive): "@rx (?i)nikto"
while in suricata should be /nikto/i
So if both are using pcre software and libraries, how is it possible that insensitive searchs perform in different way for each software?
If I want to parse a pcre to match a vulnerability, not exploit, should I parse all the pcre into normal content and finally convert it again into pcre for mod_security?
Which pcre does modsecurity uses? Is there any manual reference?