Project

General

Profile

Actions

Optimization #2400

closed

Raise error when content length is longer than depth value

Added by Jack Mott almost 5 years ago. Updated almost 5 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Effort:
Difficulty:
Label:

Description

Can we receive an error when the length of a content is longer than the subsequent depth value, similar to how the "within" keyword behaves?

Example, which won't fire, but does not show error:

content:"Microsoft BITS/"; http_user_agent; depth:5;

When using the within keyword when the content length is longer than the value of "within" we receive this error:

<Error> - [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "5" is less than the content length "15" which is invalid, since this will never match. Invalidating signature


Files

depth-example.pcap (1.72 KB) depth-example.pcap Jack Mott, 01/02/2018 02:46 PM

Related issues 1 (0 open1 closed)

Is duplicate of Bug #2293: rules: depth < content rules not rejectedClosedVictor Julien11/28/2017Actions
Actions #1

Updated by Jack Mott almost 5 years ago

Tested on Suricata 4.0.1:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short depth)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; depth:5; classtype:trojan-activity; sid:10000000; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short within)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; within:5; classtype:trojan-activity; sid:10000001; rev:1;)

PCAP attached.

Actions #2

Updated by Peter Manev almost 5 years ago

pevma@DONPEDRO:~/Work/Suricata/tests/tmp$ sudo suricata -T -S test.rules -vv -l log/
[29548] 2/1/2018 -- 21:52:56 - (suricata.c:1887) <Info> (ParseCommandLine) -- Running suricata under test mode
[29548] 2/1/2018 -- 21:52:56 - (suricata.c:1113) <Notice> (LogVersion) -- This is Suricata version 4.1.0-dev (rev 282dad79)
[29548] 2/1/2018 -- 21:52:56 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8
[29548] 2/1/2018 -- 21:52:56 - (detect-depth.c:119) <Error> (DetectDepthSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - depth:5 smaller than content of len 15
[29548] 2/1/2018 -- 21:52:56 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short depth)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; depth:5; classtype:trojan-activity; sid:10000000; rev:1;)" from file test.rules at line 1
[29548] 2/1/2018 -- 21:52:56 - (detect-within.c:120) <Error> (DetectWithinSetup) -- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "5" is less than the content length "15" which is invalid, since this will never match.  Invalidating signature
[29548] 2/1/2018 -- 21:52:56 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short within)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; within:5; classtype:trojan-activity; sid:10000001; rev:1;)" from file test.rules at line 3
[29548] 2/1/2018 -- 21:52:56 - (detect-engine-loader.c:343) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
[29548] 2/1/2018 -- 21:52:56 - (suricata.c:2432) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
pevma@DONPEDRO:~/Work/Suricata/tests/tmp$ cat test.rules 
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short depth)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; depth:5; classtype:trojan-activity; sid:10000000; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short within)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; within:5; classtype:trojan-activity; sid:10000001; rev:1;)
pevma@DONPEDRO:~/Work/Suricata/tests/tmp$

Seems it errors out correct in latest git master - so it should be ok in the next stable.

Actions #3

Updated by Victor Julien almost 5 years ago

  • Status changed from New to Rejected

Already fixed in 4.0.3. Please test against the current stable and/or git before reporting a bug.

Actions #4

Updated by Victor Julien almost 5 years ago

  • Is duplicate of Bug #2293: rules: depth < content rules not rejected added
Actions

Also available in: Atom PDF