Optimization #2400
closedRaise error when content length is longer than depth value
Description
Can we receive an error when the length of a content is longer than the subsequent depth value, similar to how the "within" keyword behaves?
Example, which won't fire, but does not show error:
content:"Microsoft BITS/"; http_user_agent; depth:5;
When using the within keyword when the content length is longer than the value of "within" we receive this error:
<Error> - [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "5" is less than the content length "15" which is invalid, since this will never match. Invalidating signature
Files
Updated by Jack Mott over 6 years ago
- File depth-example.pcap depth-example.pcap added
Tested on Suricata 4.0.1:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short depth)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; depth:5; classtype:trojan-activity; sid:10000000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short within)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; within:5; classtype:trojan-activity; sid:10000001; rev:1;)
PCAP attached.
Updated by Peter Manev over 6 years ago
pevma@DONPEDRO:~/Work/Suricata/tests/tmp$ sudo suricata -T -S test.rules -vv -l log/ [29548] 2/1/2018 -- 21:52:56 - (suricata.c:1887) <Info> (ParseCommandLine) -- Running suricata under test mode [29548] 2/1/2018 -- 21:52:56 - (suricata.c:1113) <Notice> (LogVersion) -- This is Suricata version 4.1.0-dev (rev 282dad79) [29548] 2/1/2018 -- 21:52:56 - (util-cpu.c:171) <Info> (UtilCpuPrintSummary) -- CPUs/cores online: 8 [29548] 2/1/2018 -- 21:52:56 - (detect-depth.c:119) <Error> (DetectDepthSetup) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - depth:5 smaller than content of len 15 [29548] 2/1/2018 -- 21:52:56 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short depth)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; depth:5; classtype:trojan-activity; sid:10000000; rev:1;)" from file test.rules at line 1 [29548] 2/1/2018 -- 21:52:56 - (detect-within.c:120) <Error> (DetectWithinSetup) -- [ERRCODE: SC_ERR_WITHIN_INVALID(106)] - within argument "5" is less than the content length "15" which is invalid, since this will never match. Invalidating signature [29548] 2/1/2018 -- 21:52:56 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short within)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; within:5; classtype:trojan-activity; sid:10000001; rev:1;)" from file test.rules at line 3 [29548] 2/1/2018 -- 21:52:56 - (detect-engine-loader.c:343) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all! [29548] 2/1/2018 -- 21:52:56 - (suricata.c:2432) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed. pevma@DONPEDRO:~/Work/Suricata/tests/tmp$ cat test.rules alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short depth)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; depth:5; classtype:trojan-activity; sid:10000000; rev:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Example (short within)"; flow:established,to_server; content:"Microsoft BITS/"; http_user_agent; within:5; classtype:trojan-activity; sid:10000001; rev:1;) pevma@DONPEDRO:~/Work/Suricata/tests/tmp$
Seems it errors out correct in latest git master - so it should be ok in the next stable.
Updated by Victor Julien over 6 years ago
- Status changed from New to Rejected
Already fixed in 4.0.3. Please test against the current stable and/or git before reporting a bug.
Updated by Victor Julien over 6 years ago
- Is duplicate of Bug #2293: rules: depth < content rules not rejected added