Project

General

Profile

Actions

Bug #1490

closed

http_host payload validation erroring on uppercase PCRE metacharacters

Added by Darren Spruell over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Referring to behavior mentioned in commit:0d7305df, I notice what I think might be incorrect behavior when applying match to http_host buffer from pcre containing uppercase metacharacters rather that uppercase literals. Test rule:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TEST Host Header Pattern"; pcre:"/\d+\D+\d+\D+\d+\D+\d+\D+/W"; sid:1000000; rev:1;)

As shown, this pattern doesn't contain uppercase character literals, only uppercase metacharacters.

Testing with Suricata 2.0.8, this is what occurs:

$ sudo suricata -T -c /etc/suricata/suricata.yaml -S test.rules
18/6/2015 -- 16:21:01 - <Info> - Running suricata under test mode
18/6/2015 -- 16:21:01 - <Notice> - This is Suricata version 2.0.8 RELEASE
18/6/2015 -- 16:21:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - pcre host("W") specified has an uppercase
char.  Since the hostname buffer we match against is actually lowercase, please specify an all lowercase based pcre.
18/6/2015 -- 16:21:01 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Signature parsing failed: "alert http $HOME_NET
any -> $EXTERNAL_NET any (msg:"TEST Host Header Pattern"; pcre:"/\d+\D+\d+\D+\d+\D+\d+\D+/W"; sid:1000000; rev:1;)" 

If the pcre is updated to use the /Z modifier instead, it doesn't check for uppercase characters and doesn't error on the regular expression.

Thinking the validation should be updated to only error if uppercase literals are detected, but not metacharacters.

Actions #1

Updated by Victor Julien over 7 years ago

  • Assignee set to OISF Dev
  • Target version set to 2.0.9
Actions #2

Updated by Victor Julien over 7 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jason Ish

Could you check this out Jason?

Actions #3

Updated by Victor Julien over 7 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF