Project

General

Profile

Actions
Copy link

Bug #1481

closed

Leading whitespace in flowbits variable names

Added by David Wharton about 9 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
3.0RC1
Affected Versions:
Effort:
Difficulty:
Label:

Description

I'm not sure if this is a bug or feature request so please feel free to reclassify if necessary.

Apparently, leading whitespace in flowbits variable names matters. If you set a flowbit like this: 'flowbits:set, jpg.cats;', the check has to include the leading whitespace for it to work: 'flowbits:isset, jpg.cats;'. Checking it like this will NOT work in Suricata (but will in Snort since Snort ignores leading whitespace in the name of flowbits variables): 'flowbits:isset,jpg.cats;'. Trailing whitespace is ignored in Suricata and Snort.

I can see this being an issue for people converting Snort rules to Suricata. (As an aside, the EmergingThreats Suricata ruleset does not uses spaces before the flowbits variable names so this is a non-issue for that ruleset.) I think leading whitespace in flowbits variable names should be ignored.

Actions
Copy link
 #1

Updated by Victor Julien about 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 3.0RC1

Jason, can you have a look at this?

Actions
Copy link
 #2

Updated by Victor Julien about 9 years ago

Btw, I think we should strip leading whitespace as well.

Actions
Copy link
 #3

Updated by Jason Ish about 9 years ago

Yes, will look at this.

Actions
Copy link
 #4

Updated by Victor Julien almost 9 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF