Bug #12: Negated pcre treated as a normal match - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #12

closed

Negated pcre treated as a normal match

Added by Will Metcalf almost 15 years ago. Updated almost 15 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

0.8.0

Affected Versions:

Effort:

Difficulty:

Label:

Description

given a packet with the following payload of:

AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy AllWorkAndNoPlayMakesVictorADullBoy

the following rules should not fire but they do. I have attached a patch with a failing unit tests.
alert tcp any any -> any any (msg:"all work and no play"; content:"AllWork"; pcre:"!/AndNoPlay/i"; sid: 1);
alert tcp any any -> any any (msg:"all work and no play"; content:"AllWork"; pcre:!"/AndNoPlay/i"; sid: 2);

Files

0001-failing-unit-test-showing-negated-pcre-treated-as-no.patch (3.16 KB) 0001-failing-unit-test-showing-negated-pcre-treated-as-no.patch

unit test showing that negated pcre matches are treated as non-negated matches

Will Metcalf, 11/24/2009 08:58 PM

Actions

Copy link

Updated by Will Metcalf almost 15 years ago

rules should have been...
alert tcp any any -> any any (msg:"all work and no play"; content:"AllWork"; pcre:"!/AndNoPlay/i"; sid:1;)
alert tcp any any -> any any (msg:"all work and no play"; content:"AllWork"; pcre:!"/AndNoPlay/i"; sid:2;)

Actions

Copy link