Bug #2205
openFeature #4855: rules: refactor rule parsing into multi-stage parser
Buffer confusion with fast_pattern:only;
Description
It appears that the logic for content relative to fast_pattern:only is broken. Using the following against the attached pcap:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 2"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; http_uri; distance:0; sid:30302;)
I get this error for 30301 (which is on line 23 in my rules file):
This is Suricata version 4.0.0-dev (rev f27b4fc) [4349] 29/8/2017 -- 12:25:11 - (suricata.c:1109) <Notice> (LogVersion) -- This is Suricata version 4.0.0-dev (rev f27b4fc) [4349] 29/8/2017 -- 12:25:12 - (detect-distance.c:131) <Error> (DetectDistanceSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content [4349] 29/8/2017 -- 12:25:12 - (detect.c:371) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"ethereal"; fast_pattern:only; content:"down"; http_uri; content:" from file /etc/suricata/rules/et-luajit-scripts/../suricata.rules at line 23
This also happens in 4.0.0, 3.2.1, 3.0.2, 2.0.11 and 1.4.7.
These both work as expected and hit on the attached pcap:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 2"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern; content:"test"; http_uri; content:"ethereal"; http_uri; distance:0; sid:30302;)
In the packet, 'content:"05c04axp1yaqynldtcdiwis0ag1";' is after the URI, so in that case the http_uri content are being put in the http_uri buffers otherwise 'content:"ethereal"; http_uri; distance:0;' would fail.
Header:
GET /test/ethereal.html HTTP/1.1 Host: cerberus User-Agent: Mozilla/5.0 (X11; U; Linux ppc; rv:1.7.3) Gecko/20041004 Firefox/0.10.1 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Cookie: FGNCLIID=05c04axp1yaqynldtcdiwis0ag1
Files
Updated by Jason Williams over 6 years ago
was able to confirm this behavior earlier today
Updated by Andreas Herz about 6 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Andreas Herz over 4 years ago
This is still a valid issue for 5.0 beta.
Updated by Victor Julien about 4 years ago
- Related to Bug #1826: Rule validation bug with fast_pattern:only and specified buffers added
Updated by Victor Julien about 4 years ago
- Related to Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility) added
Updated by Victor Julien about 2 years ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Jason Taylor about 1 month ago
This appears to still be an issue when using legacy keywords. Using suricata:
[690 - Suricata-Main] 2023-10-26 18:33:19 Notice: suricata: This is Suricata version 7.0.3-dev (2fe2d8250 2023-10-19) running in SYSTEM mode
Using the rules originally supplied:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 2"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; http_uri; distance:0; sid:30302;)
from suricata.log:
[691 - Suricata-Main] 2023-10-26 18:33:19 Info: counters: Alerts: 0
[691 - Suricata-Main] 2023-10-26 18:33:19 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content
[691 - Suricata-Main] 2023-10-26 18:33:19 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;)" from file /tmp/08354118ce06a232_Oct-26-2023_18-33-19/dalton-custom.rules at line 1
[691 - Suricata-Main] 2023-10-26 18:33:19 Info: detect: 1 rule files processed. 1 rules successfully loaded, 1 rules failed
[691 - Suricata-Main] 2023-10-26 18:33:19 Info: threshold-config: Threshold config parsed: 0 rule(s) found
Updated by Victor Julien about 1 month ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Victor Julien
I'll have a look. I think I inspected issues like this before and it seems that its tricky due to the single pass parsing.