Bug #223
closedNo error without content use '' on suricata
Description
Hi,
I have a error with this sig:
alert udp any any -> any any (msg:"test"; content:""; sid:238012;)
But no error with this sig:
alert udp any any -> any any (msg:"test"; content:''; sid:238013;)
Regards
Rmkml
Files
Updated by Anoop Saldanha over 13 years ago
- Assignee set to Anoop Saldanha
- Target version set to 1.0.1
Updated by Anoop Saldanha over 13 years ago
- File 0001-invalidate-sigs-with-content-strings-boo-boo.patch added
Patch attached.
Updated by Victor Julien over 13 years ago
- Due date set to 07/29/2010
- Estimated time set to 4.00 h
Uricontent will likely have the same issue. Can you check that as well?
Updated by Victor Julien over 13 years ago
Valgrind is unhappy with the unittest:
==637== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 33 from 8) ==637== ==637== 1 errors in context 1 of 1: ==637== Invalid write of size 1 ==637== at 0x8122D06: DetectContentParse (detect-content.c:108) ==637== by 0x8124192: DetectContentSetup (detect-content.c:429) ==637== by 0x811C255: SigParseOptions (detect-parse.c:647) ==637== by 0x811C3A1: SigParseOptions (detect-parse.c:660) ==637== by 0x811D521: SigParse (detect-parse.c:953) ==637== by 0x811E6FF: SigInit (detect-parse.c:1247) ==637== by 0x8126CC4: DetectContentParseTest21 (detect-content.c:1427) ==637== by 0x81C7B6A: UtRunTests (util-unittest.c:199) ==637== by 0x804E0F0: main (suricata.c:914) ==637== Address 0x4614447 is 1 bytes before a block of size 1 alloc'd ==637== at 0x4024C1C: malloc (vg_replace_malloc.c:195) ==637== by 0x4187DBF: strdup (strdup.c:43) ==637== by 0x8122CD2: DetectContentParse (detect-content.c:106) ==637== by 0x8124192: DetectContentSetup (detect-content.c:429) ==637== by 0x811C255: SigParseOptions (detect-parse.c:647) ==637== by 0x811C3A1: SigParseOptions (detect-parse.c:660) ==637== by 0x811D521: SigParse (detect-parse.c:953) ==637== by 0x811E6FF: SigInit (detect-parse.c:1247) ==637== by 0x8126CC4: DetectContentParseTest21 (detect-content.c:1427) ==637== by 0x81C7B6A: UtRunTests (util-unittest.c:199) ==637== by 0x804E0F0: main (suricata.c:914)
Updated by Victor Julien over 13 years ago
Btw, on the mailinglist the case content:"||"; was reported as well. We should reject that as well, like Snort is said to do.
Updated by Anoop Saldanha over 13 years ago
- File 0001-invalidate-sigs-with-content-uricontent-strings-boo-.patch added
you can undo the previous patch. Attached new patch
Also fixed a bug in parsing content: !\"boo\";
Updated by Anoop Saldanha over 13 years ago
- File deleted (
0001-invalidate-sigs-with-content-strings-boo-boo.patch)
Updated by Victor Julien over 13 years ago
- Target version changed from 1.0.1 to 1.0.2
Minor issue, so not risking new bugs for today's 1.0.1.
Updated by Anoop Saldanha over 13 years ago
- File deleted (
0001-invalidate-sigs-with-content-uricontent-strings-boo-.patch)
Updated by Anoop Saldanha over 13 years ago
- File 0001-invalidate-sigs-with-content-uricontent-strings-boo-.patch 0001-invalidate-sigs-with-content-uricontent-strings-boo-.patch added
Attached a new patch for handling "content, content" cases. As well as fixed some bugs with handling ! cases.
Updated by Anoop Saldanha over 13 years ago
- File 0002-throw-out-contents-uricnotents-with-invalid-hex-asse.patch 0002-throw-out-contents-uricnotents-with-invalid-hex-asse.patch added
Attached another patch, incremental over the previous one. Throw out invalid assembly codes in content/uricontent.
Updated by Victor Julien over 13 years ago
- Due date changed from 07/29/2010 to 09/15/2010
- Target version changed from 1.0.2 to 1.1beta1
- Estimated time changed from 4.00 h to 6.00 h
Updated by Victor Julien over 13 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Both applied to my local tree. Thanks Anoop!