Project

General

Profile

Actions

Bug #1674

closed

Cannot use 'tag:session' after base64_data keyword

Added by Duane Howard almost 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When setting tag:session after using a base64_data, Suricata complains. It works if you remove the tag:session, or move to before the base64_data key word. The position of tag:session should be irrelevant, as this is a post-detection rule option.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"some b64thing"; flow:established,from_server; file_data; content:"sometext"; fast_pattern; base64_decode:relative; base64_data; content:"foobar"; nocase; tag:session,120,seconds; classtype:bad-unknown; sid:1111111; rev:1;)

duane@testbox:~$ suricata -c /etc/suricata/suricata.yaml -S b64.rules -T
22/1/2016 -- 19:31:44 - <Info> - Running suricata under test mode
Initialization syslog logging with format "[%i] <%d> -- ".
22/1/2016 -- 19:31:44 - <Notice> - This is Suricata version 3.0RC2 RELEASE
22/1/2016 -- 19:31:44 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Rule buffer cannot be reset after base64_data.
22/1/2016 -- 19:31:44 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"some b64thing"; flow:established,from_server; file_data; content:"sometext"; fast_pattern; base64_decode:relative; base64_data; content:"foobar"; nocase; tag:session,120,seconds; classtype:bad-unknown; sid:1111111; rev:1;)" from file b64.rules at line 1
______________________________________________________________________

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"some b64thing"; flow:established,from_server; file_data; content:"sometext"; fast_pattern; base64_decode:relative; base64_data; content:"foobar"; nocase; classtype:bad-unknown; sid:1111111; rev:1;)

duane@testbox:~$ suricata -c /etc/suricata/suricata.yaml -S b64.rules -T
22/1/2016 -- 19:32:05 - <Info> - Running suricata under test mode
Initialization syslog logging with format "[%i] <%d> -- ".
22/1/2016 -- 19:32:05 - <Notice> - This is Suricata version 3.0RC2 RELEASE
<snip>
22/1/2016 -- 19:32:05 - <Notice> - Configuration provided was successfully loaded. Exiting.
______________________________________________________________________

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"some b64thing"; flow:established,from_server; file_data; content:"sometext"; fast_pattern; tag:session,120,seconds; base64_decode:relative; base64_data; content:"foobar"; nocase; classtype:bad-unknown; sid:1111111; rev:1;)


duane@testbox:~$ suricata -c /etc/suricata/suricata.yaml -S b64.rules -T
duane@testbox:~$ sudo /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -S b64.rules -T
22/1/2016 -- 19:40:41 - <Info> - Running suricata under test mode
Initialization syslog logging with format "[%i] <%d> -- ".
22/1/2016 -- 19:40:41 - <Notice> - This is Suricata version 3.0RC2 RELEASE
<snip>
22/1/2016 -- 19:40:41 - <Notice> - Configuration provided was successfully loaded. Exiting.

Actions

Also available in: Atom PDF