Project

General

Profile

Actions
Copy link

Bug #2836

closed

signature with filemagic do not honor flowbits

Added by Eric Leblond about 5 years ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
7.0.0
Affected Versions:
6.0.2
Effort:
medium
Difficulty:
high
Label:

Description

When running the following ruleset on a pcap with a PDF transfer, we have an unexpected result with sid:2 and sid:3 alerting on the same packet even if they have opposed flowbits tests 

alert http any any -> any any (msg:"Wget useragent";content:"wget"; nocase; http_user_agent; sid:1; rev:1; flowbits:set,wgetagent; noalert;)
alert http any any -> any any (msg:"PDF wget"; flowbits:isset,wgetagent; filemagic:"PDF"; flow:established,to_client; sid:2; rev:1;)
alert http any any -> any any (msg:"PDF not wget"; flowbits:isnotset,wgetagent; filemagic:"PDF"; flow:established,to_client; sid:3; rev:1;)

You can find suricata-verify test here: https://github.com/regit/suricata-verify/commits/filemagic

Suricata 3.2 was correct but Suricata 4.0.x was not. A git bisect on this range seems to show that the following patch is responsible of the issue:

commit 1bbf5553186c7d38b678f93db24773bd14ff84cf
Author: Victor Julien <victor@inliniac.net>
Date:   Tue Apr 11 15:24:49 2017 +0200

    detect: improve stateful detection

Related issues 2 (0 open2 closed)

Related to Suricata - Optimization #6194: detect: modernize filename fileext filemagicClosedVictor JulienActions
Related to Suricata - Optimization #6203: detect: modernize filename fileext filemagic (6.0.x backport)ClosedVictor JulienActions
Actions
Copy link

Also available in: Atom PDF