Bug #1826
openFeature #4855: rules: refactor rule parsing into multi-stage parser
Rule validation bug with fast_pattern:only and specified buffers
Description
Relative keywords cannot be used around a "fast_pattern:only" context and the Suricata rule validation checks for this. However, there are cases where this validation doesn't recognize that the relative keywords apply to a particular buffer (e.g. "http_*") and are not invalid. Take this rule for example:
alert http any any -> any any (msg:"Rule validation issue - ERROR"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; distance:3; http_uri; sid:1234;)
It will produce the following error:
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
But if you move the "http_*" modifier to before the distance/within modifier(s), it works:
alert http any any -> any any (msg:"Rule validation issue - NO_ERROR"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; http_uri; distance:3; sid:1234;)
The issue is with rule validation only and doesn't affect detection.
Files
VJ Updated by Victor Julien almost 10 years ago
- Description updated (diff)
VJ Updated by Victor Julien almost 10 years ago
- Status changed from New to Assigned
- Assignee set to Andreas Herz
- Target version set to 70
I think it will be best if we move the check into the 'SigValidate' function, which runs post-parsing.
AH Updated by Andreas Herz almost 10 years ago
David do you have additonal examples that differ from the one you already provided?
Having more distinct rules could help to improve the correct parsing/validation, ty!
DW Updated by David Wharton over 9 years ago
Really any http_* buffer with relative keywords. Here is a list using "within":
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_method"; content:"whatever"; fast_pattern:only; content:"ABC"; http_method; content:"123"; within:3; http_method; sid:100;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_code"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_code; content:"123"; within:3; http_stat_code; sid:101;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_msg"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_msg; content:"123"; within:3; http_stat_msg; sid:102;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; within:3; http_uri; sid:103;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_uri; content:"123"; within:3; http_raw_uri; sid:104;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_header; content:"123"; within:3; http_header; sid:105;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_header; content:"123"; within:3; http_raw_header; sid:106;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_cookie"; content:"whatever"; fast_pattern:only; content:"ABC"; http_cookie; content:"123"; within:3; http_cookie; sid:107;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_host; content:"123"; within:3; http_host; sid:109;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_host; content:"123"; within:3; http_raw_host; sid:110;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_client_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_client_body; content:"123"; within:3; http_client_body; sid:111;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_server_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_server_body; content:"123"; within:3; http_server_body; sid:112;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_user_agent"; content:"whatever"; fast_pattern:only; content:"ABC"; http_user_agent; content:"123"; within:3; http_user_agent; sid:113;)
Here is the list using "distance":
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_method"; content:"whatever"; fast_pattern:only; content:"ABC"; http_method; content:"123"; distance:3; http_method; sid:100;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_code"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_code; content:"123"; distance:3; http_stat_code; sid:101;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_msg"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_msg; content:"123"; distance:3; http_stat_msg; sid:102;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; distance:3; http_uri; sid:103;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_uri; content:"123"; distance:3; http_raw_uri; sid:104;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_header; content:"123"; distance:3; http_header; sid:105;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_header; content:"123"; distance:3; http_raw_header; sid:106;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_cookie"; content:"whatever"; fast_pattern:only; content:"ABC"; http_cookie; content:"123"; distance:3; http_cookie; sid:107;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_host; content:"123"; distance:3; http_host; sid:109;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_host; content:"123"; distance:3; http_raw_host; sid:110;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_client_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_client_body; content:"123"; distance:3; http_client_body; sid:111;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_server_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_server_body; content:"123"; distance:3; http_server_body; sid:112;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_user_agent"; content:"whatever"; fast_pattern:only; content:"ABC"; http_user_agent; content:"123"; distance:3; http_user_agent; sid:113;)
DW Updated by David Wharton over 9 years ago
- File whatever.pcap whatever.pcap added
Interestingly, using a relative "byte_extract", "byte_jump" or "byte_test" after "fast_pattern:only" does not throw an error. Examples:
alert http any any -> any any (msg:"Rule validation issue - relative byte_test after fast_pattern:only"; content:"whatever"; http_header; fast_pattern:only; byte_test:1,=,65,1,relative; sid:201;) alert http any any -> any any (msg:"Rule validation issue - relative byte_jump after fast_pattern:only"; content:"whatever"; http_header; fast_pattern:only; byte_jump:1,1,relative; sid:202;) alert http any any -> any any (msg:"Rule validation issue - relative byte_extract after fast_pattern:only"; content:"whatever"; http_header; fast_pattern:only; byte_extract:1,1,foo,relative; sid:203;)
In fact, running the above byte_test rule (sid:201) against the attached pcap (whatever.pcap) produces an alert! This indicates that "fast_pattern:only;" really doesn't do anything different from just "fast_pattern;" (tested on Suricata 3.0.1). I knew this was the case but I guess it is interesting that you are throwing validation errors for non-existent functionality. Any idea when "fast_pattern:only" behavior will be incorporated?
AH Updated by Andreas Herz over 7 years ago
- Status changed from Assigned to New
- Assignee changed from Andreas Herz to OISF Dev
VJ Updated by Victor Julien over 7 years ago
- Related to Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility) added
VJ Updated by Victor Julien over 6 years ago
- Related to Bug #2205: detect: error on content relative to fast_pattern:only added
VJ Updated by Victor Julien over 5 years ago
- Target version changed from 70 to TBD
VJ Updated by Victor Julien over 4 years ago
- Parent task set to #4855
VJ Updated by Victor Julien over 4 years ago
- Target version changed from TBD to 8.0.0-beta1
VJ Updated by Victor Julien about 1 year ago
- Target version changed from 8.0.0-beta1 to 9.0.0-beta1
PA Updated by Philippe Antoine 9 months ago
- Affected Versions 8.0.0 added