Project

General

Profile

Actions
Copy link

Bug #1926

open
JI OD

Feature #4855: rules: refactor rule parsing into multi-stage parser

rule parsing: wrong content checked for fast_pattern (snort compatibility)

Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility)

Added by Jason Ish over 9 years ago. Updated 9 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
OISF Dev
Target version:
9.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Given a rule like:

content:"AAAA"; fast_pattern:only; content:"BBBB"; http_raw_uri; content:"AAAA"; distance:0; http_raw_uri;

The distance will end up checking the the first occurrence of content for "fast_pattern:only" instead of the previous content, as its not looking for the previous content on the http_raw_uri list.

If the rule is modified to have the distance after http_raw_uri, eg:

content:"AAAA"; fast_pattern:only; content:"BBBB"; http_raw_uri; content:"AAAA"; http_raw_uri; distance:0;

then the correct contents is checked as the rule parsing context is on the correct list.

However, from the rule writers perspective these 2 variations should result in the same outcome.

Related issues 4 (4 open0 closed)

Related to Suricata - Bug #1826: Rule validation bug with fast_pattern:only and specified buffersNewOISF DevActions
Related to Suricata - Bug #2205: detect: error on content relative to fast_pattern:onlyNewOISF DevActions
Related to Suricata - Feature #3317: rules: use rust for tokenizing rulesFeedbackJason IshActions
Related to Suricata - Bug #4286: detect: FN due to setup failure with http_cookie after isdataatFeedbackCommunity TicketActions

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
 #1

  • Assignee changed from Jason Ish to Victor Julien

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
 #2

  • Target version changed from 70 to TBD

It seems that to properly fix this we'd need a 2 stage rule parser. In this case distance already connects the 2 contents before the 2nd one is considered to be http_raw_uri.

VJ Updated by Victor Julien over 7 years ago Actions
Copy link
 #3

  • Related to Bug #1826: Rule validation bug with fast_pattern:only and specified buffers added

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #4

  • Related to Bug #2205: detect: error on content relative to fast_pattern:only added

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #5

  • Related to Feature #3317: rules: use rust for tokenizing rules added

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #6

  • Parent task set to #4855

VJ Updated by Victor Julien over 4 years ago Actions
Copy link
 #7

  • Status changed from Assigned to New
  • Assignee changed from Victor Julien to OISF Dev
  • Target version changed from TBD to 8.0.0-beta1

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #8

  • Target version changed from 8.0.0-beta1 to 9.0.0-beta1

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #9

  • Status changed from New to Feedback

Is this a problem when using http.uri nowadays ?

VJ Updated by Victor Julien 3 months ago Actions
Copy link
 #10

  • Related to Bug #4286: detect: FN due to setup failure with http_cookie after isdataat added
Actions
Copy link

Also available in: PDF Atom