Project

General

Profile

Actions
Copy link

Bug #1486

closed

invalid rule: parser err msg not descriptive enough

Added by Peter Manev almost 9 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
3.2beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

12/6/2015 -- 13:29:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - filemagic keyword arguments should be always enclosed in double quotes.  Invalid content keyword passed in this rule - ""picture" sid:5555555" 
12/6/2015 -- 13:29:04 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"File extract all these files"; content:"cnn.com"; http_host; filemagic:"picture" sid:5555555; rev:1;)" from file http-host.rules at line 1
12/6/2015 -- 13:29:04 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rules loaded from http-host.rules

The err msg should be regarding the missing semicolon not double quotes.

Actions
Copy link
 #1

Updated by Victor Julien almost 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Jason Ish
  • Target version set to 3.0RC1
Actions
Copy link
 #2

Updated by Victor Julien over 8 years ago

  • Target version changed from 3.0RC1 to 70
Actions
Copy link
 #3

Updated by Victor Julien almost 8 years ago

  • Subject changed from err msg not descriptive enough to invalid rule: parser err msg not descriptive enough

Funny that this ticket had a super vague description.

Actions
Copy link
 #4

Updated by Jason Ish over 7 years ago

How about something like this:

[3002] 19/9/2016 -- 10:16:41 - (detect-parse.c:614) <Error> (SigParseOptions) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - bad option value formatting (possible missing semicolon) for keyword filemagic: '"picture" sid:5555555'

I don't think we can be 100% positive that a missing semicolon is the issue. What we can do is, for any option value that starts with a double quote, ensure that it ends with a double quote exclusive of white space. This would be done at the high level option parsing, not at individual options.

Actions
Copy link
 #5

Updated by Peter Manev over 7 years ago

Since we cant be 100% positive if that is really the case - we can then try - bad value formatting for keyword filemagic: '"picture" sid:5555555' ?

Actions
Copy link
 #6

Updated by Jason Ish over 7 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 3.2beta1

Fix merged. Includes better double quote checking. See https://github.com/inliniac/suricata/pull/2265

Actions
Copy link

Also available in: Atom PDF