Bug #2836
closedsignature with filemagic do not honor flowbits
Description
When running the following ruleset on a pcap with a PDF transfer, we have an unexpected result with sid:2 and sid:3 alerting on the same packet even if they have opposed flowbits tests
alert http any any -> any any (msg:"Wget useragent";content:"wget"; nocase; http_user_agent; sid:1; rev:1; flowbits:set,wgetagent; noalert;) alert http any any -> any any (msg:"PDF wget"; flowbits:isset,wgetagent; filemagic:"PDF"; flow:established,to_client; sid:2; rev:1;) alert http any any -> any any (msg:"PDF not wget"; flowbits:isnotset,wgetagent; filemagic:"PDF"; flow:established,to_client; sid:3; rev:1;)
You can find suricata-verify test here: https://github.com/regit/suricata-verify/commits/filemagic
Suricata 3.2 was correct but Suricata 4.0.x was not. A git bisect on this range seems to show that the following patch is responsible of the issue:
commit 1bbf5553186c7d38b678f93db24773bd14ff84cf Author: Victor Julien <victor@inliniac.net> Date: Tue Apr 11 15:24:49 2017 +0200 detect: improve stateful detection
Updated by Eric Leblond almost 6 years ago
Test suite in suricata-verify: https://github.com/OISF/suricata-verify/pull/15
Updated by Andreas Herz almost 6 years ago
- Assignee set to OISF Dev
- Target version set to TBD
Updated by Philippe Antoine almost 4 years ago
- Assignee changed from OISF Dev to Philippe Antoine
Updated by Philippe Antoine over 3 years ago
S-V passes with using sticky buffer file.magic
instead of filemagic
Updated by Philippe Antoine over 3 years ago
DetectFlowbitMatch
is called too early for sid 3 and the flow bit is not set yet, so it matches. even if we have no file yet
Then DetectFilemagicMatch
is called later
So, there may a deep issue about flow bits but I also think that there is an issue about file magic not being used
Updated by Philippe Antoine over 3 years ago
- Affected Versions 6.0.2 added
- Affected Versions deleted (
4.0.1, 4.1.2)
Updated by Philippe Antoine over 3 years ago
- Status changed from New to In Review
Updated by Philippe Antoine over 3 years ago
- Target version changed from TBD to 7.0.0-beta1
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Updated by Philippe Antoine over 1 year ago
- Target version changed from 8.0.0-beta1 to 7.0.1
Updated by Philippe Antoine over 1 year ago
Updated by Philippe Antoine over 1 year ago
- Target version changed from 7.0.1 to 7.0.0-rc2
Setting a better version than 7.0.1
Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.0-rc2 to 7.0.0
Updated by Philippe Antoine over 1 year ago
- Target version changed from 7.0.0 to 8.0.0-beta1
Updated by Victor Julien over 1 year ago
- Related to Optimization #6194: detect: modernize filename fileext filemagic added
Updated by Philippe Antoine over 1 year ago
- Assignee changed from Philippe Antoine to Victor Julien
Getting fixed with #6194 by Victor
Updated by Victor Julien over 1 year ago
- Status changed from In Review to Closed
- Priority changed from Low to Normal
- Target version changed from 8.0.0-beta1 to 7.0.0
Indeed fixed by #6194.
SV test and more merged here https://github.com/OISF/suricata-verify/pull/1288
Updated by Victor Julien over 1 year ago
- Related to Optimization #6203: detect: modernize filename fileext filemagic (6.0.x backport) added