Project

General

Profile

Actions

Bug #1926

open

Feature #4855: rules: refactor rule parsing into multi-stage parser

rule parsing: wrong content checked for fast_pattern (snort compatibility)

Added by Jason Ish about 8 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Given a rule like:

content:"AAAA"; fast_pattern:only; content:"BBBB"; http_raw_uri; content:"AAAA"; distance:0; http_raw_uri;

The distance will end up checking the the first occurrence of content for "fast_pattern:only" instead of the previous content, as its not looking for the previous content on the http_raw_uri list.

If the rule is modified to have the distance after http_raw_uri, eg:

content:"AAAA"; fast_pattern:only; content:"BBBB"; http_raw_uri; content:"AAAA"; http_raw_uri; distance:0;

then the correct contents is checked as the rule parsing context is on the correct list.

However, from the rule writers perspective these 2 variations should result in the same outcome.


Related issues 3 (3 open0 closed)

Related to Suricata - Bug #1826: Rule validation bug with fast_pattern:only and specified buffersNewOISF DevActions
Related to Suricata - Bug #2205: Buffer confusion with fast_pattern:only;AssignedVictor JulienActions
Related to Suricata - Feature #3317: rules: use rust for tokenizing rulesFeedbackJason IshActions
Actions

Also available in: Atom PDF