Bug #1

within doesn't respect distance while carrying out a match

Added by Victor Julien over 4 years ago. Updated about 4 years ago.

Status:ClosedStart date:11/09/2009
Priority:NormalDue date:11/30/2009
Assignee:Anoop Saldanha% Done:

100%

Category:-Estimated time:4.50 hours
Target version:0.8.2

Description

A signature containing content:"abc"; distance:1; within:3; can never match. The signature parser needs to detect this, print a error message and invalidate the signature.

^ Changing the problem statement to what Will has specified\

This actually valid. In snort distance moves where to begin searching for the match. So lets look at the following rule.

alert tcp any any -> any any (msg:"AllWorkAndNoPlay"; content:"AllWorkAndNoPlayMakesWill"; content:"DullBoy"; distance:1; within:7; sid:2;)

and the string

AllWorkAndNoPlayMakesWillADullBoy

In snort this will match as we simply move where to start looking for the within match here we move 1 byte past the end of the previous match skipping over the "A". Since "DullBoy" is seven bytes this rule alerts.

01/04-11:29:26.927934 [**] [1:2:0] AllWorkAndNoPlay [**] [Priority: 0] {TCP} 192.168.2.3:39867 -> 209.85.225.105:80
01/04-11:29:26.981495 [**] [1:2:0] AllWorkAndNoPlay [**] [Priority: 0] {TCP} 209.85.225.105:80 -> 192.168.2.3:39867

0001-Fix-for-bug-1.-Fixes-the-conflict-between-distance.patch Magnifier (4.93 KB) Anoop Saldanha, 02/17/2010 07:23 AM

allworkandnoplayplain.pcap - AllWorkAndNoPlayMakesWillADullBoy pcap (2.7 KB) Will Metcalf, 02/17/2010 08:18 AM

0001-Fix-for-bug-1.-Update-distance-within-keyword-to-be.patch Magnifier (38.6 KB) Anoop Saldanha, 03/02/2010 03:05 AM

History

#1 Updated by Victor Julien over 4 years ago

  • Estimated time set to 0.50

#2 Updated by Victor Julien over 4 years ago

  • Project changed from 1 to Suricata
  • Target version deleted (1)

#3 Updated by Victor Julien over 4 years ago

  • Due date set to 11/30/2009
  • Assignee set to OISF Dev
  • Target version set to 0.8.0

#4 Updated by Victor Julien over 4 years ago

  • Estimated time changed from 0.50 to 2.00

#5 Updated by Anoop Saldanha over 4 years ago

  • Assignee changed from OISF Dev to Anoop Saldanha

#6 Updated by Victor Julien about 4 years ago

  • Target version changed from 0.8.0 to 0.8.1

#7 Updated by Anoop Saldanha about 4 years ago

Fix attached against b28488508b9c91ebb1e77174b1e0e0533391d588

#8 Updated by Will Metcalf about 4 years ago

This actually valid. In snort distance moves where to begin searching for the match. So lets look at the following rule.

alert tcp any any -> any any (msg:"AllWorkAndNoPlay"; content:"AllWorkAndNoPlayMakesWill"; content:"DullBoy"; distance:1; within:7; sid:2;)

and the string

AllWorkAndNoPlayMakesWillADullBoy

In snort this will match as we simply move where to start looking for the within match here we move 1 byte past the end of the previous match skipping over the "A". Since "DullBoy" is seven bytes this rule alerts.

01/04-11:29:26.927934 [**] [1:2:0] AllWorkAndNoPlay [**] [Priority: 0] {TCP} 192.168.2.3:39867 -> 209.85.225.105:80
01/04-11:29:26.981495 [**] [1:2:0] AllWorkAndNoPlay [**] [Priority: 0] {TCP} 209.85.225.105:80 -> 192.168.2.3:39867

#9 Updated by Anoop Saldanha about 4 years ago

  • Subject changed from within and distance content modifiers can conflict to within doesn't respect distance while carrying out a match

#10 Updated by Victor Julien about 4 years ago

  • Target version changed from 0.8.1 to 0.8.2
  • Estimated time changed from 3.00 to 4.50

#12 Updated by Victor Julien about 4 years ago

Is this issue still valid? Anoop's patch fixes it in our old code, but that code changed significantly.

#13 Updated by Anoop Saldanha about 4 years ago

Victor Julien wrote:

Is this issue still valid? Anoop's patch fixes it in our old code, but that code changed significantly.

Let me recheck this thing with the new code.

#14 Updated by Victor Julien about 4 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

I believe this is no longer an issue. If it still is, please reopen the bug.

Also available in: Atom PDF