Project

General

Profile

Actions
Copy link

Bug #1486

closed
PM JI

invalid rule: parser err msg not descriptive enough

Bug #1486: invalid rule: parser err msg not descriptive enough

Added by Peter Manev almost 11 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
3.2beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

12/6/2015 -- 13:29:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - filemagic keyword arguments should be always enclosed in double quotes.  Invalid content keyword passed in this rule - ""picture" sid:5555555" 
12/6/2015 -- 13:29:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"File extract all these files"; content:"cnn.com"; http_host; filemagic:"picture" sid:5555555; rev:1;)" from file http-host.rules at line 1
12/6/2015 -- 13:29:04 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from http-host.rules

The err msg should be regarding the missing semicolon not double quotes.

VJ Updated by Victor Julien almost 11 years ago Actions
Copy link
 #1

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 3.0RC1

VJ Updated by Victor Julien over 10 years ago Actions
Copy link
 #2

  • Target version changed from 3.0RC1 to 70

VJ Updated by Victor Julien almost 10 years ago Actions
Copy link
 #3

  • Subject changed from err msg not descriptive enough to invalid rule: parser err msg not descriptive enough

Funny that this ticket had a super vague description.

JI Updated by Jason Ish over 9 years ago Actions
Copy link
 #4

How about something like this:

[3002] 19/9/2016 -- 10:16:41 - (detect-parse.c:614) <Error> (SigParseOptions) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword filemagic: '"picture" sid:5555555'

I don't think we can be 100% positive that a missing semicolon is the issue. What we can do is, for any option value that starts with a double quote, ensure that it ends with a double quote exclusive of white space. This would be done at the high level option parsing, not at individual options.

PM Updated by Peter Manev over 9 years ago Actions
Copy link
 #5

Since we cant be 100% positive if that is really the case - we can then try - bad value formatting for keyword filemagic: '"picture" sid:5555555' ?

JI Updated by Jason Ish over 9 years ago Actions
Copy link
 #6

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.2beta1

Fix merged. Includes better double quote checking. See https://github.com/inliniac/suricata/pull/2265

Actions
Copy link

Also available in: PDF Atom