https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022017-08-29T14:27:34ZOpen Information Security FoundationSuricata - Bug #2205: Buffer confusion with fast_pattern:only;https://redmine.openinfosecfoundation.org/issues/2205?journal_id=85952017-08-29T14:27:34ZJason Williams
<ul></ul><p>was able to confirm this behavior earlier today</p> Suricata - Bug #2205: Buffer confusion with fast_pattern:only;https://redmine.openinfosecfoundation.org/issues/2205?journal_id=86142017-09-06T15:55:34ZAndreas Herzoisf@herzandreas.de
<ul><li><strong>Assignee</strong> set to <i>OISF Dev</i></li><li><strong>Target version</strong> set to <i>TBD</i></li></ul> Suricata - Bug #2205: Buffer confusion with fast_pattern:only;https://redmine.openinfosecfoundation.org/issues/2205?journal_id=129062019-07-09T22:04:51ZAndreas Herzoisf@herzandreas.de
<ul></ul><p>This is still a valid issue for 5.0 beta.</p> Suricata - Bug #2205: Buffer confusion with fast_pattern:only;https://redmine.openinfosecfoundation.org/issues/2205?journal_id=140112019-09-27T13:05:42ZVictor Julienvictor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-1 priority-4 priority-default child" href="/issues/1826">Bug #1826</a>: Rule validation bug with fast_pattern:only and specified buffers</i> added</li></ul> Suricata - Bug #2205: Buffer confusion with fast_pattern:only;https://redmine.openinfosecfoundation.org/issues/2205?journal_id=140132019-09-27T13:06:14ZVictor Julienvictor@inliniac.net
<ul><li><strong>Related to</strong> <i><a class="issue tracker-1 status-1 priority-4 priority-default child" href="/issues/1926">Bug #1926</a>: rule parsing: wrong content checked for fast_pattern (snort compatibility)</i> added</li></ul> Suricata - Bug #2205: Buffer confusion with fast_pattern:only;https://redmine.openinfosecfoundation.org/issues/2205?journal_id=214652021-11-26T13:21:53ZVictor Julienvictor@inliniac.net
<ul><li><strong>Parent task</strong> set to <i>#4855</i></li></ul> Suricata - Bug #2205: Buffer confusion with fast_pattern:only;https://redmine.openinfosecfoundation.org/issues/2205?journal_id=214692021-11-26T13:22:48ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>TBD</i> to <i>8.0.0-beta1</i></li></ul> Suricata - Bug #2205: Buffer confusion with fast_pattern:only;https://redmine.openinfosecfoundation.org/issues/2205?journal_id=304292023-10-26T18:41:17ZJason Taylor
<ul></ul><p>This appears to still be an issue when using legacy keywords. Using suricata:<br />[690 - Suricata-Main] 2023-10-26 18:33:19 Notice: suricata: This is Suricata version 7.0.3-dev (2fe2d8250 2023-10-19) running in SYSTEM mode</p>
<p>Using the rules originally supplied:</p>
<p>alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;)</p>
<p>alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 2"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; http_uri; distance:0; sid:30302;)</p>
<p>from suricata.log:<br />[691 - Suricata-Main] 2023-10-26 18:33:19 Info: counters: Alerts: 0<br />[691 - Suricata-Main] 2023-10-26 18:33:19 Error: detect-distance: previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content<br />[691 - Suricata-Main] 2023-10-26 18:33:19 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO Order Test 1"; flow:established,to_server; content:"05c04axp1yaqynldtcdiwis0ag1"; fast_pattern:only; content:"test"; http_uri; content:"ethereal"; distance:0; http_uri; sid:30301;)" from file /tmp/08354118ce06a232_Oct-26-2023_18-33-19/dalton-custom.rules at line 1<br />[691 - Suricata-Main] 2023-10-26 18:33:19 Info: detect: 1 rule files processed. 1 rules successfully loaded, 1 rules failed<br />[691 - Suricata-Main] 2023-10-26 18:33:19 Info: threshold-config: Threshold config parsed: 0 rule(s) found</p> Suricata - Bug #2205: Buffer confusion with fast_pattern:only;https://redmine.openinfosecfoundation.org/issues/2205?journal_id=304472023-10-27T18:06:16ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>OISF Dev</i> to <i>Victor Julien</i></li></ul><p>I'll have a look. I think I inspected issues like this before and it seems that its tricky due to the single pass parsing.</p>