Bug #1061
closedMultiple flowbit set in one rule
Description
If we want to set multiple flowbits in one rule, snort has suggested used the below syntax:
flowbits:set,bit2&bit3;
But, in suricata writing the following syntax for the same logic does not provide any error!
flowbits:set,bit2; flowbits:set,bit3;
Unfortunately, regardless of its correctness in logic prospective, it has some bad effects on function SCSigGetFlowbitsType at detect-engine-sigorder.c file. Since in this function programmer expected just one instance of each type of read and write flowbit command. So, after counting each type of flowbit commands i.e. read and write; had written the following code:
if (read == 1 && write == 0) {
flowbits_user_type = DETECT_FLOWBITS_TYPE_READ;
} else if (read == 0 && write == 1) {
flowbits_user_type = DETECT_FLOWBITS_TYPE_SET;
} else if (read == 1 && write == 1) {
flowbits_user_type = DETECT_FLOWBITS_TYPE_SET_READ;
}
Hence, if we set two flowbits in second format, the write variable will have value 2!
Updated by Victor Julien over 10 years ago
We don't support the syntax setting multiple bits in one statement. I think the "flowbits:set,bit2&bit3;" case we actually consider it to be one flowbit, named "bit2&bit3".
I don't understand the 2nd part of your report.
Updated by Amin Latifi over 10 years ago
I mean suricata accepts second syntax without any error!
Updated by Victor Julien over 10 years ago
I don't see a problem with that syntax. Whats wrong with it? 2 seperate keywords will just set up 2 keywords in the rule structure, each with their own sigmatch, flowbit data, postmatch, etc.
Updated by Amin Latifi over 10 years ago
The problem is in SCSigGetFlowbitsType function, we expect just zero or one instance of flowbits:set:....; keyword. If we have two or more of them, this function does not work appropriately. Consider below code again:
if (read == 1 && write == 0) {
flowbits_user_type = DETECT_FLOWBITS_TYPE_READ;
} else if (read == 0 && write == 1) {
flowbits_user_type = DETECT_FLOWBITS_TYPE_SET;
} else if (read == 1 && write == 1) {
flowbits_user_type = DETECT_FLOWBITS_TYPE_SET_READ;
}
Here, if we have two flowbits:set:....;, the write variable will have value 2.
Updated by Victor Julien over 10 years ago
- Status changed from New to Assigned
- Target version changed from TBD to 2.0beta2
Ah yes, good catch. Working on a fix.
Updated by Victor Julien over 10 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Fixed by:
commit f6e37dcc90963a944493bea835f22af7b6329bb2
Author: Victor Julien <victor@inliniac.net>
Date: Tue Dec 10 09:30:48 2013 +0100
Bug 1061: fix multiple vars per sig in ordering
In sigordering rules that had multiple vars doing the same operation,
like setting multiple flowbits, would not be considered correctly.
Bug 1061.
Opened #1063 for 1.4.7.