Actions
Bug #2205
openFeature #4855: rules: refactor rule parsing into multi-stage parser
Buffer confusion with fast_pattern:only;
Affected Versions:
Effort:
Difficulty:
Label:
Description
It appears that the logic for content relative to fast_pattern:only is broken. Using the following against the attached pcap:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 2"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; http_uri; distance:0; sid:30302;)
I get this error for 30301 (which is on line 23 in my rules file):
This is Suricata version 4.0.0-dev (rev f27b4fc) [4349] 29/8/2017 -- 12:25:11 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev f27b4fc) [4349] 29/8/2017 -- 12:25:12 - (detect-distance.c:131) <Error> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [4349] 29/8/2017 -- 12:25:12 - (detect.c:371) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"ethereal"; fast_pattern:only; content:"down"; http_uri; content:" from file /etc/suricata/rules/et-luajit-scripts/../suricata.rules at line 23
This also happens in 4.0.0, 3.2.1, 3.0.2, 2.0.11 and 1.4.7.
These both work as expected and hit on the attached pcap:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 2"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern; content:"test"; http_uri; content:"ethereal"; http_uri; distance:0; sid:30302;)
In the packet, 'content:"05c04axp1yaqynldtcdiwis0ag1";' is after the URI, so in that case the http_uri content are being put in the http_uri buffers otherwise 'content:"ethereal"; http_uri; distance:0;' would fail.
Header:
GET /test/ethereal.html HTTP/1.1 Host: cerberus User-Agent: Mozilla/5.0 (X11; U; Linux ppc; rv:1.7.3) Gecko/20041004 Firefox/0.10.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: FGNCLIID=05c04axp1yaqynldtcdiwis0ag1
Files
Updated by Jason Williams almost 6 years ago
was able to confirm this behavior earlier today
Updated by Andreas Herz over 5 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Andreas Herz almost 4 years ago
This is still a valid issue for 5.0 beta.
Updated by Victor Julien over 3 years ago
- Related to Bug #1826: Rule validation bug with fast_pattern:only and specified buffers added
Updated by Victor Julien over 3 years ago
- Related to Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility) added
Updated by Victor Julien over 1 year ago
- Target version changed from TBD to 8.0.0-beta1
Actions