Project

General

Profile

Actions

Bug #2558

closed

negated fileext and filename do not work as expected

Added by Maurizio Abba over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

A bug in detect-fileext and detect-filename modules prevent the negated versions of the two matchers from working correctly.

The bug resides in the fact that the check for the negated match is performed in the wrong way.

In case of the simple matcher fileext:!"php" we will take the branch inside the if at row 113. There, we will not set the match as we will take the NO branch of the if at line 115, and finally we will take the YES branch at line 121, resulting in a final match.

The fix is easy, we can just copy detect-filemagic behavior and use an if-else without check on ret == 0 on the last if at line 121.

The same behavior can be observed at detect-filemagic

Test:
alert http any any -> any any (msg:"FILE HTTP signature: html application"; file_data; filestore; fileext:!"mp4"; sid:106499112; rev:1;)
alert http any any -> any any (msg:"FILE HTTP signature: html application"; file_data; filestore; filename:!"2008.mp4"; sid:106499113; rev:1;)

Expected behavior:
0 alerts
Observed Behavior:
2 alerts

Pcap attached for simpler testing.


Files

2008.mp4.pcap (1.48 KB) 2008.mp4.pcap Maurizio Abba, 07/31/2018 06:06 AM
Actions

Also available in: Atom PDF