Bug #312
closed
incorrect parsing of rules with missing semi-colon for keywords
Added by Anoop Saldanha over 13 years ago.
Updated over 8 years ago.
Description
Currently we seem to parse rules which contains keywords with missing semi-colons
for example, alert tcp any any -> any any (content:boom; offset:10 sid:1;)
such rules should be invalidated.
- Subject changed from incorrct parsing of rules with missing semi-colon for keywords to incorrect parsing of rules with missing semi-colon for keywords
- Assignee set to Anoop Saldanha
- Target version set to 1.1beta3
- Estimated time set to 3.00 h
- Target version changed from 1.1beta3 to 1.1rc1
- % Done changed from 0 to 40
- Status changed from New to Assigned
- Priority changed from Normal to Low
Low prio for 1.1, we can push this back to 1.2 if you run out of time.
- Target version changed from 1.1rc1 to 1.2
- Target version changed from 1.2 to 1.3beta2
Additional example:
In 1.2dev (rev 4c1e417)
# Suricata not complaining:
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"B0rked rule - no
error in suricata"; flow:established,from_server; content:"|FF|"
content:"TEST"; classtype:trojan-activity; sid:66; rev:1;)
That rules dont give any error message.
- Target version changed from 1.3beta2 to TBD
- Assignee changed from Anoop Saldanha to Andreas Herz
The first rule in this ticket isn't working anymore:
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - content keyword arguments should be always enclosed in double quotes. Invalid content keyword passed in this rule - "boom"
But the one from Victor is still loaded without warning.
- Status changed from Assigned to Closed
- Target version changed from TBD to 3.2beta1
Also available in: Atom
PDF