Project

General

Profile

Actions

Bug #223

closed

No error without content use '' on suricata

Added by rmkml rmkml almost 13 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,
I have a error with this sig:
 alert udp any any -> any any (msg:"test"; content:""; sid:238012;)
But no error with this sig:
 alert udp any any -> any any (msg:"test"; content:''; sid:238013;)
Regards
Rmkml


Files

Actions #1

Updated by Anoop Saldanha almost 13 years ago

  • Assignee set to Anoop Saldanha
  • Target version set to 1.0.1
Actions #2

Updated by Anoop Saldanha almost 13 years ago

  • File 0001-invalidate-sigs-with-content-strings-boo-boo.patch added

Patch attached.

Actions #3

Updated by Victor Julien almost 13 years ago

  • Due date set to 07/29/2010
  • Estimated time set to 4.00 h

Uricontent will likely have the same issue. Can you check that as well?

Actions #4

Updated by Victor Julien almost 13 years ago

Valgrind is unhappy with the unittest:

==637== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 33 from 8)
==637==
==637== 1 errors in context 1 of 1:
==637== Invalid write of size 1
==637==    at 0x8122D06: DetectContentParse (detect-content.c:108)
==637==    by 0x8124192: DetectContentSetup (detect-content.c:429)
==637==    by 0x811C255: SigParseOptions (detect-parse.c:647)
==637==    by 0x811C3A1: SigParseOptions (detect-parse.c:660)
==637==    by 0x811D521: SigParse (detect-parse.c:953)
==637==    by 0x811E6FF: SigInit (detect-parse.c:1247)
==637==    by 0x8126CC4: DetectContentParseTest21 (detect-content.c:1427)
==637==    by 0x81C7B6A: UtRunTests (util-unittest.c:199)
==637==    by 0x804E0F0: main (suricata.c:914)
==637==  Address 0x4614447 is 1 bytes before a block of size 1 alloc'd
==637==    at 0x4024C1C: malloc (vg_replace_malloc.c:195)
==637==    by 0x4187DBF: strdup (strdup.c:43)
==637==    by 0x8122CD2: DetectContentParse (detect-content.c:106)
==637==    by 0x8124192: DetectContentSetup (detect-content.c:429)
==637==    by 0x811C255: SigParseOptions (detect-parse.c:647)
==637==    by 0x811C3A1: SigParseOptions (detect-parse.c:660)
==637==    by 0x811D521: SigParse (detect-parse.c:953)
==637==    by 0x811E6FF: SigInit (detect-parse.c:1247)
==637==    by 0x8126CC4: DetectContentParseTest21 (detect-content.c:1427)
==637==    by 0x81C7B6A: UtRunTests (util-unittest.c:199)
==637==    by 0x804E0F0: main (suricata.c:914)
Actions #5

Updated by Victor Julien almost 13 years ago

Btw, on the mailinglist the case content:"||"; was reported as well. We should reject that as well, like Snort is said to do.

Actions #6

Updated by Anoop Saldanha almost 13 years ago

  • File 0001-invalidate-sigs-with-content-uricontent-strings-boo-.patch added

you can undo the previous patch. Attached new patch

Also fixed a bug in parsing content: !\"boo\";

Actions #7

Updated by Anoop Saldanha almost 13 years ago

  • File deleted (0001-invalidate-sigs-with-content-strings-boo-boo.patch)
Actions #8

Updated by Victor Julien almost 13 years ago

  • Target version changed from 1.0.1 to 1.0.2

Minor issue, so not risking new bugs for today's 1.0.1.

Actions #9

Updated by Anoop Saldanha over 12 years ago

  • File deleted (0001-invalidate-sigs-with-content-uricontent-strings-boo-.patch)
Actions #10

Updated by Anoop Saldanha over 12 years ago

Attached a new patch for handling "content, content" cases. As well as fixed some bugs with handling ! cases.

Actions #11

Updated by Anoop Saldanha over 12 years ago

Attached another patch, incremental over the previous one. Throw out invalid assembly codes in content/uricontent.

Actions #12

Updated by Victor Julien over 12 years ago

  • Due date changed from 07/29/2010 to 09/15/2010
  • Target version changed from 1.0.2 to 1.1beta1
  • Estimated time changed from 4.00 h to 6.00 h
Actions #13

Updated by Victor Julien over 12 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Both applied to my local tree. Thanks Anoop!

Actions

Also available in: Atom PDF