Project

General

Profile

Actions
Copy link

Bug #2581

closed

content match fails with on large streams

Added by Hugo Lequien over 5 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Community Ticket
Target version:
TBD
Affected Versions:
4.0.0
Effort:
Difficulty:
Label:

Description

Using suricata 4.0.0-dev (rev 2eadd77e), I have encountered a weird behavior.
A large payload (+900 kB) cause suricata to fail content matching if the data stream does not end with it. If the stream does end with it, suricata logs it twice (in fast.log).

Example :
With a rule such as :
alert ip any any -> any any (msg:"my super-useful rule"; priority:1; rev:1; sid:42420003; content:"BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB";)

And payloads such as :
payload1 : "A" * 900000 + "B" * 150
payload2 : payload1 + "C" * 850

payload1 is detected (or at least logged) twice while payload2 is not detected at all.

.pcap files to reproduce described behavior can be found as attachments to this issue.

Files

Download all files
detected.pcap (898 KB) detected.pcap capture file of detected packets Hugo Lequien, 08/22/2018 10:20 AM
not_detected.pcap (895 KB) not_detected.pcap capture file of undetected packets Hugo Lequien, 08/22/2018 10:20 AM
Actions
Copy link

Also available in: Atom PDF