Project

General

Profile

Actions

Bug #312

closed

incorrect parsing of rules with missing semi-colon for keywords

Added by Anoop Saldanha over 13 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Low
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Currently we seem to parse rules which contains keywords with missing semi-colons

for example, alert tcp any any -> any any (content:boom; offset:10 sid:1;)

such rules should be invalidated.

Actions #1

Updated by Anoop Saldanha over 13 years ago

  • Subject changed from incorrct parsing of rules with missing semi-colon for keywords to incorrect parsing of rules with missing semi-colon for keywords
Actions #2

Updated by Victor Julien over 13 years ago

  • Assignee set to Anoop Saldanha
  • Target version set to 1.1beta3
  • Estimated time set to 3.00 h
Actions #3

Updated by Victor Julien about 13 years ago

  • Target version changed from 1.1beta3 to 1.1rc1
Actions #4

Updated by Victor Julien about 13 years ago

  • % Done changed from 0 to 40
Actions #5

Updated by Victor Julien about 13 years ago

  • Status changed from New to Assigned
  • Priority changed from Normal to Low

Low prio for 1.1, we can push this back to 1.2 if you run out of time.

Actions #6

Updated by Victor Julien about 13 years ago

  • Target version changed from 1.1rc1 to 1.2
Actions #7

Updated by Victor Julien almost 13 years ago

  • Target version changed from 1.2 to 1.3beta2

Additional example:

In 1.2dev (rev 4c1e417)

# Suricata not complaining:
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"B0rked rule - no
error in suricata"; flow:established,from_server; content:"|FF|" 
content:"TEST"; classtype:trojan-activity; sid:66; rev:1;)

That rules dont give any error message.
Actions #8

Updated by Victor Julien over 12 years ago

  • Target version changed from 1.3beta2 to TBD
Actions #9

Updated by Andreas Herz almost 9 years ago

  • Assignee changed from Anoop Saldanha to Andreas Herz
Actions #10

Updated by Andreas Herz almost 9 years ago

The first rule in this ticket isn't working anymore:

[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - content keyword arguments should be always enclosed in double quotes.  Invalid content keyword passed in this rule - "boom" 

But the one from Victor is still loaded without warning.

Actions #12

Updated by Andreas Herz about 8 years ago

  • Status changed from Assigned to Closed
Actions #13

Updated by Victor Julien about 8 years ago

  • Target version changed from TBD to 3.2beta1
Actions

Also available in: Atom PDF