Bug #312

incorrect parsing of rules with missing semi-colon for keywords

Added by Anoop Saldanha over 2 years ago. Updated almost 2 years ago.

Status:AssignedStart date:08/09/2011
Priority:LowDue date:
Assignee:Anoop Saldanha% Done:

40%

Category:-Estimated time:3.00 hours
Target version:TBD

Description

Currently we seem to parse rules which contains keywords with missing semi-colons

for example, alert tcp any any -> any any (content:boom; offset:10 sid:1;)

such rules should be invalidated.

History

#1 Updated by Anoop Saldanha over 2 years ago

  • Subject changed from incorrct parsing of rules with missing semi-colon for keywords to incorrect parsing of rules with missing semi-colon for keywords

#2 Updated by Victor Julien over 2 years ago

  • Assignee set to Anoop Saldanha
  • Target version set to 1.1beta3
  • Estimated time set to 3.00

#3 Updated by Victor Julien over 2 years ago

  • Target version changed from 1.1beta3 to 1.1rc1

#4 Updated by Victor Julien over 2 years ago

  • % Done changed from 0 to 40

#5 Updated by Victor Julien over 2 years ago

  • Status changed from New to Assigned
  • Priority changed from Normal to Low

Low prio for 1.1, we can push this back to 1.2 if you run out of time.

#6 Updated by Victor Julien over 2 years ago

  • Target version changed from 1.1rc1 to 1.2

#7 Updated by Victor Julien over 2 years ago

  • Target version changed from 1.2 to 1.3beta2

Additional example:

In 1.2dev (rev 4c1e417)

# Suricata not complaining:
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"B0rked rule - no
error in suricata"; flow:established,from_server; content:"|FF|" 
content:"TEST"; classtype:trojan-activity; sid:66; rev:1;)

That rules dont give any error message.

#8 Updated by Victor Julien almost 2 years ago

  • Target version changed from 1.3beta2 to TBD

Also available in: Atom PDF