How is it possible that suricata and mod_security use different values to evaluate insensitive expressions?

Within mod_security equivalent pcre for insensitive should be (as we can see on rx directive): "@rx (?i)nikto"

while in suricata should be /nikto/i 

So if both are using pcre software and libraries, how is it possible that insensitive searchs perform in different way for each software?

If I want to parse a pcre to match a vulnerability, not exploit, should I parse all the pcre into normal content and finally convert it again into pcre for mod_security?

Which pcre does modsecurity uses? Is there any manual reference?

Kind regards,


2014-01-29 Jose Pablo Valcárcel Lázaro <pablo.valcarcel1980@gmail.com>
Good morning.

I was wondering if someone could advice me how to convert regular expression as 
/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7.+offer-(ineligible|preinstalled|declined|accepted)/si

into mod_security compatible regular expression.

Looking at the exploit exploit vulnerability string is 
<object id=TestObj classid="CLSID:{E2883E8F-472F-4fb0-9522-AC9BF37916A7}"

So I understand that using the pcre you should be able to stop any variation of the exploit?

Kind regards,