incorrect parsing of rules with missing semi-colon for keywords
Currently we seem to parse rules which contains keywords with missing semi-colons
for example, alert tcp any any -> any any (content:boom; offset:10 sid:1;)
such rules should be invalidated.
#7 Updated by Victor Julien almost 6 years ago
- Target version changed from 1.2 to 1.3beta2
In 1.2dev (rev 4c1e417) # Suricata not complaining: alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"B0rked rule - no error in suricata"; flow:established,from_server; content:"|FF|" content:"TEST"; classtype:trojan-activity; sid:66; rev:1;) That rules dont give any error message.
#10 Updated by Andreas Herz almost 2 years ago
The first rule in this ticket isn't working anymore:
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - content keyword arguments should be always enclosed in double quotes. Invalid content keyword passed in this rule - "boom"
But the one from Victor is still loaded without warning.