Project

General

Profile

Actions

Bug #2581

closed

content match fails with on large streams

Added by Hugo Lequien about 4 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using suricata 4.0.0-dev (rev 2eadd77e), I have encountered a weird behavior.
A large payload (+900 kB) cause suricata to fail content matching if the data stream does not end with it. If the stream does end with it, suricata logs it twice (in fast.log).

Example :
With a rule such as :
alert ip any any -> any any (msg:"my super-useful rule"; priority:1; rev:1; sid:42420003; content:"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB";)

And payloads such as :
payload1 : "A" * 900000 + "B" * 150
payload2 : payload1 + "C" * 850

payload1 is detected (or at least logged) twice while payload2 is not detected at all.

.pcap files to reproduce described behavior can be found as attachments to this issue.


Files

detected.pcap (898 KB) detected.pcap capture file of detected packets Hugo Lequien, 08/22/2018 10:20 AM
not_detected.pcap (895 KB) not_detected.pcap capture file of undetected packets Hugo Lequien, 08/22/2018 10:20 AM
Actions #1

Updated by Andreas Herz over 3 years ago

  • Assignee set to Community Ticket
  • Target version set to TBD

Can you see if it is still an issue with 4.1.4?

Actions #2

Updated by Andreas Herz about 3 years ago

  • Status changed from New to Closed

Hi, we're closing this issue since there have been no further responses.
If you think this bug is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs

Actions

Also available in: Atom PDF