Bug #1042
closedCan't match "emailAddress" field in tls.subject and tls.issuerdn
Description
This rule:
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"RDG possible Upatre Downloader SSL certificate emailAddress"; flow:established,from_server; tls.subject:"emailAddress=ds@ds.fds"; classtype:trojan-activity; sid:380000002; rev:1;)
fails with "(detect-tls.c:269) <Error> (DetectTlsSubjectParse) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - invalid tls.subject option" in suricata.log.
It seems the rule parser is disallowing the "@" character.
I've tried modifying src/detect-tls.c :
--- src/detect-tls.c.orig 2013-11-19 10:39:24.651883765 +0000 +++ src/detect-tls.c 2013-11-20 00:37:41.791132862 +0000 @@ -64,8 +64,8 @@ * \brief Regex for parsing "id" option, matching number or "number" */ -#define PARSE_REGEX "^\\s*(\\!*)\\s*([A-z0-9\\s\\-\\.=,\\*]+|\"[A-z0-9\\s\\-\\.=,\\*]+\")\\s*$" -#define PARSE_REGEX_FINGERPRINT "^\\s*(\\!*)\\s*([A-z0-9\\:\\*]+|\"[A-z0-9\\:\\* ]+\")\\s*$" +#define PARSE_REGEX "^\\s*(\\!*)\\s*([A-z0-9\\s\\-\\.=,\\*\\@]+|\"[A-z0-9\\s\\-\\.=,\\*\\@]+\")\\s*$" +#define PARSE_REGEX_FINGERPRINT "^\\s*(\\!*)\\s*([A-z0-9\\:\\*\\@]+|\"[A-z0-9\\:\\* \\@]+\")\\s*$" static pcre *subject_parse_regex; static pcre_extra *subject_parse_regex_study;
which appears to solve the problem, but I'm not sure whether it was necessary to modify all the character classes in those regular expressions.
Updated by Victor Julien over 10 years ago
- Status changed from New to Assigned
- Assignee set to Victor Julien
- Target version set to 2.0beta2
Updated by Victor Julien over 10 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Merged https://github.com/inliniac/suricata/pull/680, thanks Chris!
I only updated the PARSE_REGEX, which is used by tls.subject and tls.issuerdn.