Bug #2558
closednegated fileext and filename do not work as expected
Description
A bug in detect-fileext and detect-filename modules prevent the negated versions of the two matchers from working correctly.
The bug resides in the fact that the check for the negated match is performed in the wrong way.
In case of the simple matcher fileext:!"php" we will take the branch inside the if at row 113. There, we will not set the match as we will take the NO branch of the if at line 115, and finally we will take the YES branch at line 121, resulting in a final match.
The fix is easy, we can just copy detect-filemagic behavior and use an if-else without check on ret == 0 on the last if at line 121.
The same behavior can be observed at detect-filemagic
Test:
alert http any any -> any any (msg:"FILE HTTP signature: html application"; file_data; filestore; fileext:!"mp4"; sid:106499112; rev:1;)
alert http any any -> any any (msg:"FILE HTTP signature: html application"; file_data; filestore; filename:!"2008.mp4"; sid:106499113; rev:1;)
Expected behavior:
0 alerts
Observed Behavior:
2 alerts
Pcap attached for simpler testing.
Files