Project

General

Profile

Actions

Bug #1481

closed

Leading whitespace in flowbits variable names

Added by David Wharton over 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I'm not sure if this is a bug or feature request so please feel free to reclassify if necessary.

Apparently, leading whitespace in flowbits variable names matters. If you set a flowbit like this: 'flowbits:set, jpg.cats;', the check has to include the leading whitespace for it to work: 'flowbits:isset, jpg.cats;'. Checking it like this will NOT work in Suricata (but will in Snort since Snort ignores leading whitespace in the name of flowbits variables): 'flowbits:isset,jpg.cats;'. Trailing whitespace is ignored in Suricata and Snort.

I can see this being an issue for people converting Snort rules to Suricata. (As an aside, the EmergingThreats Suricata ruleset does not uses spaces before the flowbits variable names so this is a non-issue for that ruleset.) I think leading whitespace in flowbits variable names should be ignored.

Actions

Also available in: Atom PDF