Bug #2098: isdataat: fix parsing issue with leading spaces - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2098

closed

isdataat: fix parsing issue with leading spaces

Added by Harley H over 7 years ago. Updated over 7 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

4.0beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

Hello,
I'm noticing a potential issue with a negated isdataat check. I'm testing the following four rules against the pcap linked below:

alert tcp any any -> any any (msg: "It's Alive!!!"; content: "Here"; isdataat: !114; sid: 1102010; rev: 1;)
alert tcp any any -> any any (msg: "It's Alive!!!"; content: "Here"; isdataat: 114; sid: 1102011; rev: 1;)
alert tcp any any -> any any (msg: "It's Alive!!!"; content: "Here"; isdataat: !113; sid: 1102012; rev: 1;)
alert tcp any any -> any any (msg: "It's Alive!!!"; content: "Here"; isdataat: 113; sid: 1102013; rev: 1;)

The packet simply contains the following 114 byte string:
"Here is a 114 byte packet to test how a negated isdataat checks works in Suricata. Seems something may be amiss..."

I'd expect rules 1102010 and 1102013 to alert, and that is what happens in Snort. In Suricata, only 1102012 and 1102013 cause an alert. I'm using Suricata 3.2.1.

Files

test.pcap (740 Bytes) test.pcap

Harley H, 04/20/2017 10:43 AM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #2098

isdataat: fix parsing issue with leading spaces

Updated by Harley H over 7 years ago

Updated by Victor Julien over 7 years ago

Updated by Victor Julien over 7 years ago

Updated by Victor Julien over 7 years ago