Actions
Bug #312
closedincorrect parsing of rules with missing semi-colon for keywords
Affected Versions:
Effort:
Difficulty:
Label:
Description
Currently we seem to parse rules which contains keywords with missing semi-colons
for example, alert tcp any any -> any any (content:boom; offset:10 sid:1;)
such rules should be invalidated.
Updated by Victor Julien over 13 years ago
- Status changed from New to Assigned
- Priority changed from Normal to Low
Low prio for 1.1, we can push this back to 1.2 if you run out of time.
Updated by Victor Julien about 13 years ago
- Target version changed from 1.2 to 1.3beta2
Additional example:
In 1.2dev (rev 4c1e417) # Suricata not complaining: alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"B0rked rule - no error in suricata"; flow:established,from_server; content:"|FF|" content:"TEST"; classtype:trojan-activity; sid:66; rev:1;) That rules dont give any error message.
Updated by Andreas Herz about 9 years ago
The first rule in this ticket isn't working anymore:
[ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - content keyword arguments should be always enclosed in double quotes. Invalid content keyword passed in this rule - "boom"
But the one from Victor is still loaded without warning.
Updated by Andreas Herz over 8 years ago
This is fixed: https://github.com/inliniac/suricata/pull/2229
Actions