Actions
Bug #3682
openbsize needs to err upon non possible matching conditions
Affected Versions:
Effort:
Difficulty:
Label:
Description
The following does not err (but it should)
cat bsize.rules alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; bsize:2; sid:111; rev:1;) /opt/suritest/bin/suricata -l log/ -S bsize.rules --engine-analysis ; cat log/rules_analysis.txt [693058] 27/4/2020 -- 22:19:00 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in USER mode ------------------------------------------------------------------- Date: 27/4/2020 -- 22:19:00 ------------------------------------------------------------------- == Sid: 111 == alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; bsize:2; sid:111; rev:1;) Rule matches on http uri buffer. App layer protocol is http. Rule contains 0 content options, 1 http content options, 0 pcre options, and 0 pcre options with http modifiers. Fast Pattern "abcdefgh123456" on "http request uri (http_uri)" buffer. Warning: TCP rule without a flow or flags option. -Consider adding flow or flags to improve performance of this rule. /opt/suritest/bin/suricata -l log/ -S bsize.rules -T [693188] 27/4/2020 -- 22:21:40 - (suricata.c:1582) <Info> (ParseCommandLine) -- Running suricata under test mode [693188] 27/4/2020 -- 22:21:40 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in SYSTEM mode [693188] 27/4/2020 -- 22:21:41 - (suricata.c:2752) <Notice> (SuricataMain) -- Configuration provided was successfully loaded. Exiting.
If urilen:2 is added it errors properly
[693684] 27/4/2020 -- 22:38:21 - (suricata.c:1582) <Info> (ParseCommandLine) -- Running suricata under test mode [693684] 27/4/2020 -- 22:38:21 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in SYSTEM mode [693684] 27/4/2020 -- 22:38:21 - (detect-urilen.c:356) <Error> (DetectUrilenValidateContent) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - depth or urilen 2 smaller than content len 14 [693684] 27/4/2020 -- 22:38:21 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; urilen:2; sid:111; rev:1;)" from file bsize.rules at line 3 [693684] 27/4/2020 -- 22:38:21 - (detect-engine-loader.c:347) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded! [693684] 27/4/2020 -- 22:38:21 - (suricata.c:2154) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
Updated by Victor Julien over 4 years ago
- Status changed from New to Assigned
- Assignee set to Jeff Lucovsky
- Target version set to 6.0.0beta1
- Label Needs backport added
Updated by Jeff Lucovsky over 4 years ago
- Status changed from Assigned to In Review
Updated by Jeff Lucovsky over 4 years ago
- Copied to Bug #3746: bsize needs to err upon non possible matching conditions (4.1.x) added
Updated by Jeff Lucovsky over 4 years ago
- Copied to Bug #3747: bsize needs to err upon non possible matching conditions (5.0.x) added
Updated by Victor Julien over 4 years ago
- Target version changed from 6.0.0beta1 to 6.0.0rc1
Updated by Victor Julien about 4 years ago
- Target version changed from 6.0.0rc1 to 7.0.0-beta1
Updated by Victor Julien over 2 years ago
- Label Needs backport to 6.0 added
- Label deleted (
Needs backport)
Is https://github.com/OISF/suricata/pull/5980 the latest PR on this?
Updated by Shivani Bhardwaj about 2 years ago
- Label deleted (
Needs backport to 6.0)
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Updated by Jeff Lucovsky over 1 year ago
- Status changed from In Review to Resolved
This no longer reproduces. The fix for issue #2982 contained changes that improved detection when rule elements create conditions that will never be matched.
Updated by Jeff Lucovsky about 1 year ago
Changes merged in https://github.com/OISF/suricata/pull/8165
Updated by Philippe Antoine 5 months ago
@Jeff Lucovsky can this ticket get closed ?
Actions