Please find attached some tests with invalid rule keywords combinations (bad "grammar") that should not be loaded by the engine, nevertheless they are getting loaded.
modifiers and rule keywords - distance,within, depth, offset...
Snort corrected some of the issues they had - ""Improved error checking for invalid combinations of "depth", "offset", "distance", and "within" modifiers in rules. Rules that mix relative and non-relative options on the same content will now cause errors."" - http://blog.snort.org/2010/12/snort-2903-is-coming-soon.html
dated back in Dec 2010, some of them are still not addressed, I believe.
Please find a comparison of invalid rules and if they load or not. I have tested all the bad rules with Sur 1.0.4/1.0.5/git master, Snort 126.96.36.199/188.8.131.52/current beta, the results are in the spreadsheet attached.
Updated by Eileen Donlon almost 12 years ago
I've added a sheet to Peter's workbook which lists categories of invalid or bad rules, and color-coded the rules in Peter's list to show the category. The point of listing the categories is that it makes it easier to develop a comprehensive set of rules for testing. Let me know if you have done this already! A lot of these checks have already been implemented but I don't know if they've all been tested.
The "bad" rule checks would be part of the rule analyzer.
Updated by Peter Manev almost 12 years ago
I like the idea.
I think it would be good if we can number the categorizations as well i.e.
01 - Semantics Err
02 - Syntax Err
We could rewrite the "msg" in the alerts to reflect the categorization.
Then it shouldn’t be difficult to write a script that would test all the rules and reflect the results in one go for every git update/release update.
Updated by Andreas Herz over 7 years ago
To resolve all the examples we would need to include several checks when parsing dsize rules since the checks depend on several other keywords. Do we want to add this or are we just fine with loading those rules since they shouldn't hurt but also not match?
Updated by Jason Taylor over 4 years ago
suricata-verify tests have been submitted for the invalid rules.
there is still one rule that is successfully loading in current suricata master branch:
alert udp any any -> any any (msg:"TEST SUCCESFULL - dsize/distance INVALID combination "; dsize:10; content:"boom"; content:"loom"; distance:10; sid:6666663; rev:1;)
#2982 has been created to track the invalid rule loading
Updated by Jason Taylor about 4 years ago
Sure, I can certainly take a look, which parsing items are you referring to?
As a side note I am working on https://redmine.openinfosecfoundation.org/issues/2982 which I think is the only outstanding issue related to this ticket?