Project

General

Profile

Actions
Copy link

Bug #3190

closed

file_data inspection inhibited by additional (non-file_data) content match rule

Added by Gabriel Somlo about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
5.0.0
Affected Versions:
5.0rc1
Effort:
Difficulty:
Label:

Description

Following this fix: https://github.com/OISF/suricata/pull/4211/commits/d4bc46038133a26ac0010ef64c865746f95814c7,
file_data base64 mail attachment content inspection started working (see #2395)
on the sample pcap here: https://redmine.openinfosecfoundation.org/attachments/1560
when this single relevant example rule was present: https://redmine.openinfosecfoundation.org/attachments/1748

The problem is that, when a second content-matching rule is also present, as in: https://redmine.openinfosecfoundation.org/attachments/1793,
the file_data rule no longer fires (both rules should generate alerts on the sample pcap file)!

Opening new bug since
1. I don't know whether this is the same underlying root cause as #2395 itself, and
2. my redmine account apparently doesn't have the power to re-open a closed bug :)

Related issues 2 (0 open2 closed)

Related to Suricata - Bug #2395: File_data inspection depth while inspecting base64 decoded dataClosedVictor JulienActions
Related to Suricata - Bug #2522: The cross-effects of rules on each other, without the use of flowbits.ClosedVictor JulienActions
Actions
Copy link

Also available in: Atom PDF