Project

General

Profile

Bug #1826

Rule validation bug with fast_pattern:only and specified buffers

Added by David Wharton almost 3 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Relative keywords cannot be used around a "fast_pattern:only" context and the Suricata rule validation checks for this. However, there are cases where this validation doesn't recognize that the relative keywords apply to a particular buffer (e.g. "http_*") and are not invalid. Take this rule for example:

alert http any any -> any any (msg:"Rule validation issue - ERROR"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; distance:3; http_uri; sid:1234;)

It will produce the following error:
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content

But if you move the "http_*" modifier to before the distance/within modifier(s), it works:
alert http any any -> any any (msg:"Rule validation issue - NO_ERROR"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; http_uri; distance:3; sid:1234;)

The issue is with rule validation only and doesn't affect detection.


Files

whatever.pcap (574 Bytes) whatever.pcap test for relative byte_test after fast_pattern:only David Wharton, 07/06/2016 09:24 AM

Related issues

Related to Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility)AssignedActions

History

#1

Updated by Victor Julien almost 3 years ago

  • Description updated (diff)
#2

Updated by Victor Julien almost 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Andreas Herz
  • Target version set to Soon

I think it will be best if we move the check into the 'SigValidate' function, which runs post-parsing.

#3

Updated by Andreas Herz almost 3 years ago

David do you have additonal examples that differ from the one you already provided?
Having more distinct rules could help to improve the correct parsing/validation, ty!

#4

Updated by David Wharton almost 3 years ago

Really any http_* buffer with relative keywords. Here is a list using "within":


alert http any any -> any any (msg:"Rule validation issue - ERROR - http_method"; content:"whatever"; fast_pattern:only; content:"ABC"; http_method; content:"123"; within:3; http_method; sid:100;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_code"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_code; content:"123"; within:3; http_stat_code; sid:101;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_msg"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_msg; content:"123"; within:3; http_stat_msg; sid:102;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; within:3; http_uri; sid:103;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_uri; content:"123"; within:3; http_raw_uri; sid:104;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_header; content:"123"; within:3; http_header; sid:105;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_header; content:"123"; within:3; http_raw_header; sid:106;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_cookie"; content:"whatever"; fast_pattern:only; content:"ABC"; http_cookie; content:"123"; within:3; http_cookie; sid:107;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_host; content:"123"; within:3; http_host; sid:109;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_host; content:"123"; within:3; http_raw_host; sid:110;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_client_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_client_body; content:"123"; within:3; http_client_body; sid:111;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_server_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_server_body; content:"123"; within:3; http_server_body; sid:112;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_user_agent"; content:"whatever"; fast_pattern:only; content:"ABC"; http_user_agent; content:"123"; within:3; http_user_agent; sid:113;)

Here is the list using "distance":


alert http any any -> any any (msg:"Rule validation issue - ERROR - http_method"; content:"whatever"; fast_pattern:only; content:"ABC"; http_method; content:"123"; distance:3; http_method; sid:100;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_code"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_code; content:"123"; distance:3; http_stat_code; sid:101;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_stat_msg"; content:"whatever"; fast_pattern:only; content:"ABC"; http_stat_msg; content:"123"; distance:3; http_stat_msg; sid:102;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; distance:3; http_uri; sid:103;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_uri"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_uri; content:"123"; distance:3; http_raw_uri; sid:104;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_header; content:"123"; distance:3; http_header; sid:105;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_header"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_header; content:"123"; distance:3; http_raw_header; sid:106;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_cookie"; content:"whatever"; fast_pattern:only; content:"ABC"; http_cookie; content:"123"; distance:3; http_cookie; sid:107;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_host; content:"123"; distance:3; http_host; sid:109;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_raw_host"; content:"whatever"; fast_pattern:only; content:"ABC"; http_raw_host; content:"123"; distance:3; http_raw_host; sid:110;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_client_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_client_body; content:"123"; distance:3; http_client_body; sid:111;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_server_body"; content:"whatever"; fast_pattern:only; content:"ABC"; http_server_body; content:"123"; distance:3; http_server_body; sid:112;)
alert http any any -> any any (msg:"Rule validation issue - ERROR - http_user_agent"; content:"whatever"; fast_pattern:only; content:"ABC"; http_user_agent; content:"123"; distance:3; http_user_agent; sid:113;)

#5

Updated by David Wharton almost 3 years ago

Interestingly, using a relative "byte_extract", "byte_jump" or "byte_test" after "fast_pattern:only" does not throw an error. Examples:
@
alert http any any -> any any (msg:"Rule validation issue - relative byte_test after fast_pattern:only"; content:"whatever"; http_header; fast_pattern:only; byte_test:1,=,65,1,relative; sid:201;)

alert http any any -> any any (msg:"Rule validation issue - relative byte_jump after fast_pattern:only"; content:"whatever"; http_header; fast_pattern:only; byte_jump:1,1,relative; sid:202;)

alert http any any -> any any (msg:"Rule validation issue - relative byte_extract after fast_pattern:only"; content:"whatever"; http_header; fast_pattern:only; byte_extract:1,1,foo,relative; sid:203;)
@

In fact, running the above byte_test rule (sid:201) against the attached pcap (whatever.pcap) produces an alert! This indicates that "fast_pattern:only;" really doesn't do anything different from just "fast_pattern;" (tested on Suricata 3.0.1). I knew this was the case but I guess it is interesting that you are throwing validation errors for non-existent functionality. Any idea when "fast_pattern:only" behavior will be incorporated?

#6

Updated by Andreas Herz 10 months ago

  • Status changed from Assigned to New
  • Assignee changed from Andreas Herz to OISF Dev
#7

Updated by Victor Julien 10 months ago

  • Related to Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility) added

Also available in: Atom PDF