Bug #1061: Multiple flowbit set in one rule - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1061

closed

Multiple flowbit set in one rule

Added by Amin Latifi about 11 years ago. Updated about 11 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

2.0beta2

Affected Versions:

Effort:

Difficulty:

Label:

Description

If we want to set multiple flowbits in one rule, snort has suggested used the below syntax:

flowbits:set,bit2&bit3;

But, in suricata writing the following syntax for the same logic does not provide any error!

flowbits:set,bit2; flowbits:set,bit3;

Unfortunately, regardless of its correctness in logic prospective, it has some bad effects on function SCSigGetFlowbitsType at detect-engine-sigorder.c file. Since in this function programmer expected just one instance of each type of read and write flowbit command. So, after counting each type of flowbit commands i.e. read and write; had written the following code:

    if (read == 1 && write == 0) {
        flowbits_user_type = DETECT_FLOWBITS_TYPE_READ;
    } else if (read == 0 && write == 1) {
        flowbits_user_type = DETECT_FLOWBITS_TYPE_SET;
    } else if (read == 1 && write == 1) {
        flowbits_user_type = DETECT_FLOWBITS_TYPE_SET_READ;
    }

Hence, if we set two flowbits in second format, the write variable will have value 2!

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #1061

Multiple flowbit set in one rule

Updated by Victor Julien about 11 years ago

Updated by Amin Latifi about 11 years ago

Updated by Victor Julien about 11 years ago

Updated by Amin Latifi about 11 years ago

Updated by Victor Julien about 11 years ago

Updated by Victor Julien about 11 years ago