Project

General

Profile

Actions
Copy link

Bug #312

closed
AS AH

incorrect parsing of rules with missing semi-colon for keywords

Bug #312: incorrect parsing of rules with missing semi-colon for keywords

Added by Anoop Saldanha over 14 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Low
Assignee:
Andreas Herz
Target version:
3.2beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Currently we seem to parse rules which contains keywords with missing semi-colons

for example, alert tcp any any -> any any (content:boom; offset:10 sid:1;)

such rules should be invalidated.

AS Updated by Anoop Saldanha over 14 years ago Actions
Copy link
 #1

  • Subject changed from incorrct parsing of rules with missing semi-colon for keywords to incorrect parsing of rules with missing semi-colon for keywords

VJ Updated by Victor Julien over 14 years ago Actions
Copy link
 #2

  • Assignee set to Anoop Saldanha
  • Target version set to 1.1beta3
  • Estimated time set to 3.00 h

VJ Updated by Victor Julien over 14 years ago Actions
Copy link
 #3

  • Target version changed from 1.1beta3 to 1.1rc1

VJ Updated by Victor Julien over 14 years ago Actions
Copy link
 #4

  • % Done changed from 0 to 40

VJ Updated by Victor Julien over 14 years ago Actions
Copy link
 #5

  • Status changed from New to Assigned
  • Priority changed from Normal to Low

Low prio for 1.1, we can push this back to 1.2 if you run out of time.

VJ Updated by Victor Julien over 14 years ago Actions
Copy link
 #6

  • Target version changed from 1.1rc1 to 1.2

VJ Updated by Victor Julien about 14 years ago Actions
Copy link
 #7

  • Target version changed from 1.2 to 1.3beta2

Additional example:

In 1.2dev (rev 4c1e417)

# Suricata not complaining:
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"B0rked rule - no
error in suricata"; flow:established,from_server; content:"|FF|" 
content:"TEST"; classtype:trojan-activity; sid:66; rev:1;)

That rules dont give any error message.

VJ Updated by Victor Julien almost 14 years ago Actions
Copy link
 #8

  • Target version changed from 1.3beta2 to TBD

AH Updated by Andreas Herz over 10 years ago Actions
Copy link
 #9

  • Assignee changed from Anoop Saldanha to Andreas Herz

AH Updated by Andreas Herz over 10 years ago Actions
Copy link
 #10

The first rule in this ticket isn't working anymore:

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - content keyword arguments should be always enclosed in double quotes.  Invalid content keyword passed in this rule - "boom"

But the one from Victor is still loaded without warning.

AH Updated by Andreas Herz over 9 years ago Actions
Copy link
 #12

  • Status changed from Assigned to Closed

VJ Updated by Victor Julien over 9 years ago Actions
Copy link
 #13

  • Target version changed from TBD to 3.2beta1
Actions
Copy link

Also available in: PDF Atom