Bug #1486
closedinvalid rule: parser err msg not descriptive enough
Description
12/6/2015 -- 13:29:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - filemagic keyword arguments should be always enclosed in double quotes. Invalid content keyword passed in this rule - ""picture" sid:5555555" 12/6/2015 -- 13:29:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"File extract all these files"; content:"cnn.com"; http_host; filemagic:"picture" sid:5555555; rev:1;)" from file http-host.rules at line 1 12/6/2015 -- 13:29:04 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from http-host.rules
The err msg should be regarding the missing semicolon not double quotes.
VJ Updated by Victor Julien almost 11 years ago
- Status changed from New to Assigned
- Assignee set to Jason Ish
- Target version set to 3.0RC1
VJ Updated by Victor Julien over 10 years ago
- Target version changed from 3.0RC1 to 70
VJ Updated by Victor Julien about 10 years ago
- Subject changed from err msg not descriptive enough to invalid rule: parser err msg not descriptive enough
Funny that this ticket had a super vague description.
JI Updated by Jason Ish almost 10 years ago
How about something like this:
[3002] 19/9/2016 -- 10:16:41 - (detect-parse.c:614) <Error> (SigParseOptions) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword filemagic: '"picture" sid:5555555'
I don't think we can be 100% positive that a missing semicolon is the issue. What we can do is, for any option value that starts with a double quote, ensure that it ends with a double quote exclusive of white space. This would be done at the high level option parsing, not at individual options.
PM Updated by Peter Manev almost 10 years ago
Since we cant be 100% positive if that is really the case - we can then try - bad value formatting for keyword filemagic: '"picture" sid:5555555' ?
JI Updated by Jason Ish almost 10 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 3.2beta1
Fix merged. Includes better double quote checking. See https://github.com/inliniac/suricata/pull/2265