Project

General

Profile

Actions

Bug #2836

open

signature with filemagic do not honor flowbits

Added by Eric Leblond over 2 years ago. Updated 3 months ago.

Status:
In Review
Priority:
Normal
Target version:
Affected Versions:
Effort:
medium
Difficulty:
high
Label:

Description

When running the following ruleset on a pcap with a PDF transfer, we have an unexpected result with sid:2 and sid:3 alerting on the same packet even if they have opposed flowbits tests

alert http any any -> any any (msg:"Wget useragent";content:"wget"; nocase; http_user_agent; sid:1; rev:1; flowbits:set,wgetagent; noalert;)
alert http any any -> any any (msg:"PDF wget"; flowbits:isset,wgetagent; filemagic:"PDF"; flow:established,to_client; sid:2; rev:1;)
alert http any any -> any any (msg:"PDF not wget"; flowbits:isnotset,wgetagent; filemagic:"PDF"; flow:established,to_client; sid:3; rev:1;)

You can find suricata-verify test here: https://github.com/regit/suricata-verify/commits/filemagic

Suricata 3.2 was correct but Suricata 4.0.x was not. A git bisect on this range seems to show that the following patch is responsible of the issue:

commit 1bbf5553186c7d38b678f93db24773bd14ff84cf
Author: Victor Julien <victor@inliniac.net>
Date:   Tue Apr 11 15:24:49 2017 +0200

    detect: improve stateful detection

Actions #1

Updated by Eric Leblond over 2 years ago

Actions #2

Updated by Andreas Herz over 2 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #3

Updated by Philippe Antoine 7 months ago

  • Assignee changed from OISF Dev to Philippe Antoine
Actions #4

Updated by Philippe Antoine 5 months ago

S-V passes with using sticky buffer file.magic instead of filemagic

Actions #5

Updated by Philippe Antoine 5 months ago

DetectFlowbitMatch is called too early for sid 3 and the flow bit is not set yet, so it matches. even if we have no file yet
Then DetectFilemagicMatch is called later

So, there may a deep issue about flow bits but I also think that there is an issue about file magic not being used

Actions #6

Updated by Philippe Antoine 5 months ago

  • Affected Versions 6.0.2 added
  • Affected Versions deleted (4.0.1, 4.1.2)
Actions #7

Updated by Philippe Antoine 5 months ago

  • Status changed from New to In Review
Actions #8

Updated by Philippe Antoine 3 months ago

  • Target version changed from TBD to 7.0rc1
Actions

Also available in: Atom PDF