Project

General

Profile

Actions

Bug #2205

open

Feature #4855: rules: refactor rule parsing into multi-stage parser

Buffer confusion with fast_pattern:only;

Added by Francis Trudeau about 7 years ago. Updated 12 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

It appears that the logic for content relative to fast_pattern:only is broken. Using the following against the attached pcap:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 2"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; http_uri; distance:0; sid:30302;)

I get this error for 30301 (which is on line 23 in my rules file):

This is Suricata version 4.0.0-dev (rev f27b4fc)
[4349] 29/8/2017 -- 12:25:11 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev f27b4fc)
[4349] 29/8/2017 -- 12:25:12 - (detect-distance.c:131) <Error> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
[4349] 29/8/2017 -- 12:25:12 - (detect.c:371) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"ethereal"; fast_pattern:only; content:"down"; http_uri; content:" from file /etc/suricata/rules/et-luajit-scripts/../suricata.rules at line 23

This also happens in 4.0.0, 3.2.1, 3.0.2, 2.0.11 and 1.4.7.

These both work as expected and hit on the attached pcap:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 2"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern; content:"test"; http_uri; content:"ethereal"; http_uri; distance:0; sid:30302;)

In the packet, 'content:"05c04axp1yaqynldtcdiwis0ag1";' is after the URI, so in that case the http_uri content are being put in the http_uri buffers otherwise 'content:"ethereal"; http_uri; distance:0;' would fail.

Header:

GET /test/ethereal.html HTTP/1.1
Host: cerberus
User-Agent: Mozilla/5.0 (X11; U; Linux ppc; rv:1.7.3) Gecko/20041004 Firefox/0.10.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: FGNCLIID=05c04axp1yaqynldtcdiwis0ag1

Files

http_gzip.cap (1.67 KB) http_gzip.cap Francis Trudeau, 08/29/2017 01:43 PM

Related issues 2 (2 open0 closed)

Related to Suricata - Bug #1826: Rule validation bug with fast_pattern:only and specified buffersNewOISF DevActions
Related to Suricata - Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility)NewOISF DevActions
Actions #1

Updated by Jason Williams about 7 years ago

was able to confirm this behavior earlier today

Actions #2

Updated by Andreas Herz about 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #3

Updated by Andreas Herz over 5 years ago

This is still a valid issue for 5.0 beta.

Actions #4

Updated by Victor Julien about 5 years ago

  • Related to Bug #1826: Rule validation bug with fast_pattern:only and specified buffers added
Actions #5

Updated by Victor Julien about 5 years ago

  • Related to Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility) added
Actions #6

Updated by Victor Julien almost 3 years ago

  • Parent task set to #4855
Actions #7

Updated by Victor Julien almost 3 years ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #8

Updated by Jason Taylor 12 months ago

This appears to still be an issue when using legacy keywords. Using suricata:
[690 - Suricata-Main] 2023-10-26 18:33:19 Notice: suricata: This is Suricata version 7.0.3-dev (2fe2d8250 2023-10-19) running in SYSTEM mode

Using the rules originally supplied:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 2"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; http_uri; distance:0; sid:30302;)

from suricata.log:
[691 - Suricata-Main] 2023-10-26 18:33:19 Info: counters: Alerts: 0
[691 - Suricata-Main] 2023-10-26 18:33:19 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
[691 - Suricata-Main] 2023-10-26 18:33:19 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;)" from file /tmp/08354118ce06a232_Oct-26-2023_18-33-19/dalton-custom.rules at line 1
[691 - Suricata-Main] 2023-10-26 18:33:19 Info: detect: 1 rule files processed. 1 rules successfully loaded, 1 rules failed
[691 - Suricata-Main] 2023-10-26 18:33:19 Info: threshold-config: Threshold config parsed: 0 rule(s) found

Actions #9

Updated by Victor Julien 12 months ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien

I'll have a look. I think I inspected issues like this before and it seems that its tricky due to the single pass parsing.

Actions

Also available in: Atom PDF