Bug #1826
openFeature #4855: rules: refactor rule parsing into multi-stage parser
Rule validation bug with fast_pattern:only and specified buffers
Description
Relative keywords cannot be used around a "fast_pattern:only" context and the Suricata rule validation checks for this. However, there are cases where this validation doesn't recognize that the relative keywords apply to a particular buffer (e.g. "http_*") and are not invalid. Take this rule for example:
alert http any any -> any any (msg:"Rule validation issue - ERROR"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; distance:3; http_uri; sid:1234;)
It will produce the following error:
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
But if you move the "http_*" modifier to before the distance/within modifier(s), it works:
alert http any any -> any any (msg:"Rule validation issue - NO_ERROR"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; http_uri; distance:3; sid:1234;)
The issue is with rule validation only and doesn't affect detection.
Files
Updated by Victor Julien over 8 years ago
- Status changed from New to Assigned
- Assignee set to Andreas Herz
- Target version set to 70
I think it will be best if we move the check into the 'SigValidate' function, which runs post-parsing.
Updated by Andreas Herz over 8 years ago
David do you have additonal examples that differ from the one you already provided?
Having more distinct rules could help to improve the correct parsing/validation, ty!
Updated by David Wharton over 8 years ago
Really any http_* buffer with relative keywords. Here is a list using "within":
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_method"; content:"whatever"; fast_pattern:only; content:"ABC"; http_method; content:"123"; within:3; http_method; sid:100;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_code"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_code; content:"123"; within:3; http_stat_code; sid:101;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_msg"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_msg; content:"123"; within:3; http_stat_msg; sid:102;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; within:3; http_uri; sid:103;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_uri; content:"123"; within:3; http_raw_uri; sid:104;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_header; content:"123"; within:3; http_header; sid:105;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_header; content:"123"; within:3; http_raw_header; sid:106;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_cookie"; content:"whatever"; fast_pattern:only; content:"ABC"; http_cookie; content:"123"; within:3; http_cookie; sid:107;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_host; content:"123"; within:3; http_host; sid:109;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_host; content:"123"; within:3; http_raw_host; sid:110;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_client_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_client_body; content:"123"; within:3; http_client_body; sid:111;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_server_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_server_body; content:"123"; within:3; http_server_body; sid:112;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_user_agent"; content:"whatever"; fast_pattern:only; content:"ABC"; http_user_agent; content:"123"; within:3; http_user_agent; sid:113;)
Here is the list using "distance":
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_method"; content:"whatever"; fast_pattern:only; content:"ABC"; http_method; content:"123"; distance:3; http_method; sid:100;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_code"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_code; content:"123"; distance:3; http_stat_code; sid:101;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_msg"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_msg; content:"123"; distance:3; http_stat_msg; sid:102;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; distance:3; http_uri; sid:103;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_uri; content:"123"; distance:3; http_raw_uri; sid:104;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_header; content:"123"; distance:3; http_header; sid:105;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_header; content:"123"; distance:3; http_raw_header; sid:106;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_cookie"; content:"whatever"; fast_pattern:only; content:"ABC"; http_cookie; content:"123"; distance:3; http_cookie; sid:107;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_host; content:"123"; distance:3; http_host; sid:109;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_host; content:"123"; distance:3; http_raw_host; sid:110;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_client_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_client_body; content:"123"; distance:3; http_client_body; sid:111;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_server_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_server_body; content:"123"; distance:3; http_server_body; sid:112;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_user_agent"; content:"whatever"; fast_pattern:only; content:"ABC"; http_user_agent; content:"123"; distance:3; http_user_agent; sid:113;)
Updated by David Wharton over 8 years ago
- File whatever.pcap whatever.pcap added
Interestingly, using a relative "byte_extract", "byte_jump" or "byte_test" after "fast_pattern:only" does not throw an error. Examples:
alert http any any -> any any (msg:"Rule validation issue - relative byte_test after fast_pattern:only"; content:"whatever"; http_header; fast_pattern:only; byte_test:1,=,65,1,relative; sid:201;) alert http any any -> any any (msg:"Rule validation issue - relative byte_jump after fast_pattern:only"; content:"whatever"; http_header; fast_pattern:only; byte_jump:1,1,relative; sid:202;) alert http any any -> any any (msg:"Rule validation issue - relative byte_extract after fast_pattern:only"; content:"whatever"; http_header; fast_pattern:only; byte_extract:1,1,foo,relative; sid:203;)
In fact, running the above byte_test rule (sid:201) against the attached pcap (whatever.pcap) produces an alert! This indicates that "fast_pattern:only;" really doesn't do anything different from just "fast_pattern;" (tested on Suricata 3.0.1). I knew this was the case but I guess it is interesting that you are throwing validation errors for non-existent functionality. Any idea when "fast_pattern:only" behavior will be incorporated?
Updated by Andreas Herz over 6 years ago
- Status changed from Assigned to New
- Assignee changed from Andreas Herz to OISF Dev
Updated by Victor Julien over 6 years ago
- Related to Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility) added
Updated by Victor Julien about 5 years ago
- Related to Bug #2205: Buffer confusion with fast_pattern:only; added
Updated by Victor Julien about 3 years ago
- Target version changed from TBD to 8.0.0-beta1