Bug #2836
closedsignature with filemagic do not honor flowbits
Description
When running the following ruleset on a pcap with a PDF transfer, we have an unexpected result with sid:2 and sid:3 alerting on the same packet even if they have opposed flowbits tests
alert http any any -> any any (msg:"Wget useragent";content:"wget"; nocase; http_user_agent; sid:1; rev:1; flowbits:set,wgetagent; noalert;) alert http any any -> any any (msg:"PDF wget"; flowbits:isset,wgetagent; filemagic:"PDF"; flow:established,to_client; sid:2; rev:1;) alert http any any -> any any (msg:"PDF not wget"; flowbits:isnotset,wgetagent; filemagic:"PDF"; flow:established,to_client; sid:3; rev:1;)
You can find suricata-verify test here: https://github.com/regit/suricata-verify/commits/filemagic
Suricata 3.2 was correct but Suricata 4.0.x was not. A git bisect on this range seems to show that the following patch is responsible of the issue:
commit 1bbf5553186c7d38b678f93db24773bd14ff84cf
Author: Victor Julien <victor@inliniac.net>
Date: Tue Apr 11 15:24:49 2017 +0200
detect: improve stateful detection
EL Updated by Eric Leblond about 7 years ago
Test suite in suricata-verify: https://github.com/OISF/suricata-verify/pull/15
AH Updated by Andreas Herz about 7 years ago
- Assignee set to OISF Dev
- Target version set to TBD
PA Updated by Philippe Antoine about 5 years ago
- Assignee changed from OISF Dev to Philippe Antoine
PA Updated by Philippe Antoine almost 5 years ago
S-V passes with using sticky buffer file.magic instead of filemagic
PA Updated by Philippe Antoine almost 5 years ago
DetectFlowbitMatch is called too early for sid 3 and the flow bit is not set yet, so it matches. even if we have no file yet
Then DetectFilemagicMatch is called later
So, there may a deep issue about flow bits but I also think that there is an issue about file magic not being used
PA Updated by Philippe Antoine almost 5 years ago
- Affected Versions 6.0.2 added
- Affected Versions deleted (
4.0.1, 4.1.2)
PA Updated by Philippe Antoine almost 5 years ago
- Status changed from New to In Review
PA Updated by Philippe Antoine almost 5 years ago
- Target version changed from TBD to 7.0.0-beta1
VJ Updated by Victor Julien over 3 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
VJ Updated by Victor Julien about 3 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
PA Updated by Philippe Antoine about 3 years ago
- Target version changed from 8.0.0-beta1 to 7.0.1
PA Updated by Philippe Antoine almost 3 years ago
PA Updated by Philippe Antoine almost 3 years ago
- Target version changed from 7.0.1 to 7.0.0-rc2
Setting a better version than 7.0.1
VJ Updated by Victor Julien almost 3 years ago
- Priority changed from Normal to Low
VJ Updated by Victor Julien almost 3 years ago
- Target version changed from 7.0.0-rc2 to 7.0.0
PA Updated by Philippe Antoine almost 3 years ago
- Target version changed from 7.0.0 to 8.0.0-beta1
VJ Updated by Victor Julien almost 3 years ago
- Related to Optimization #6194: detect: modernize filename fileext filemagic added
PA Updated by Philippe Antoine almost 3 years ago
- Assignee changed from Philippe Antoine to Victor Julien
Getting fixed with #6194 by Victor
VJ Updated by Victor Julien over 2 years ago
- Status changed from In Review to Closed
- Priority changed from Low to Normal
- Target version changed from 8.0.0-beta1 to 7.0.0
Indeed fixed by #6194.
SV test and more merged here https://github.com/OISF/suricata-verify/pull/1288
VJ Updated by Victor Julien over 2 years ago
- Related to Optimization #6203: detect: modernize filename fileext filemagic (6.0.x backport) added