Project

General

Profile

Actions
Copy link

Bug #3682

closed
PM JL

detect/bsize: error for impossible matching conditions

Bug #3682: detect/bsize: error for impossible matching conditions

Added by Peter Manev almost 6 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Jeff Lucovsky
Target version:
8.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

The following does not err (but it should)

cat bsize.rules 

alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; bsize:2; sid:111; rev:1;)

/opt/suritest/bin/suricata -l log/ -S bsize.rules --engine-analysis  ; cat log/rules_analysis.txt
[693058] 27/4/2020 -- 22:19:00 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in USER mode
-------------------------------------------------------------------
Date: 27/4/2020 -- 22:19:00
-------------------------------------------------------------------
== Sid: 111 ==
alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; bsize:2; sid:111; rev:1;)
    Rule matches on http uri buffer.
    App layer protocol is http.
    Rule contains 0 content options, 1 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "abcdefgh123456" on "http request uri (http_uri)" buffer.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.

/opt/suritest/bin/suricata -l log/ -S bsize.rules -T
[693188] 27/4/2020 -- 22:21:40 - (suricata.c:1582) <Info> (ParseCommandLine) -- Running suricata under test mode
[693188] 27/4/2020 -- 22:21:40 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in SYSTEM mode
[693188] 27/4/2020 -- 22:21:41 - (suricata.c:2752) <Notice> (SuricataMain) -- Configuration provided was successfully loaded. Exiting.

If urilen:2 is added it errors properly

[693684] 27/4/2020 -- 22:38:21 - (suricata.c:1582) <Info> (ParseCommandLine) -- Running suricata under test mode
[693684] 27/4/2020 -- 22:38:21 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in SYSTEM mode
[693684] 27/4/2020 -- 22:38:21 - (detect-urilen.c:356) <Error> (DetectUrilenValidateContent) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - depth or urilen 2 smaller than content len 14
[693684] 27/4/2020 -- 22:38:21 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; urilen:2; sid:111; rev:1;)" from file bsize.rules at line 3
[693684] 27/4/2020 -- 22:38:21 - (detect-engine-loader.c:347) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded!
[693684] 27/4/2020 -- 22:38:21 - (suricata.c:2154) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

Subtasks 1 (0 open1 closed)

Bug #5606: bsize needs to err upon non possible matching conditions (6.0.x backport)RejectedActions

Related issues 2 (0 open2 closed)

Copied to Suricata - Bug #3746: bsize needs to err upon non possible matching conditions (4.1.x)RejectedShivani BhardwajActions
Copied to Suricata - Bug #3747: bsize needs to err upon non possible matching conditions (5.0.x)RejectedActions

PM Updated by Peter Manev almost 6 years ago Actions
Copy link
 #1

Originally reported by Jae Williams.

VJ Updated by Victor Julien almost 6 years ago Actions
Copy link
 #2

  • Status changed from New to Assigned
  • Assignee set to Jeff Lucovsky
  • Target version set to 6.0.0beta1
  • Label Needs backport added

JL Updated by Jeff Lucovsky almost 6 years ago Actions
Copy link
 #3

  • Status changed from Assigned to In Review

JL Updated by Jeff Lucovsky almost 6 years ago Actions
Copy link
 #4

  • Copied to Bug #3746: bsize needs to err upon non possible matching conditions (4.1.x) added

JL Updated by Jeff Lucovsky almost 6 years ago Actions
Copy link
 #5

  • Copied to Bug #3747: bsize needs to err upon non possible matching conditions (5.0.x) added

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
 #6

  • Target version changed from 6.0.0beta1 to 6.0.0rc1

VJ Updated by Victor Julien over 5 years ago Actions
Copy link
 #7

  • Target version changed from 6.0.0rc1 to 7.0.0-beta1

VJ Updated by Victor Julien almost 4 years ago Actions
Copy link
 #8

  • Label Needs backport to 6.0 added
  • Label deleted (Needs backport)

SB Updated by Shivani Bhardwaj over 3 years ago Actions
Copy link
 #9

  • Subtask #5606 added

SB Updated by Shivani Bhardwaj over 3 years ago Actions
Copy link
 #10

  • Label deleted (Needs backport to 6.0)

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #11

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1

VJ Updated by Victor Julien about 3 years ago Actions
Copy link
 #12

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1

JL Updated by Jeff Lucovsky almost 3 years ago Actions
Copy link
 #13

  • Status changed from In Review to Resolved

This no longer reproduces. The fix for issue #2982 contained changes that improved detection when rule elements create conditions that will never be matched.

PA Updated by Philippe Antoine almost 2 years ago Actions
Copy link
 #15

@Jeff Lucovsky can this ticket get closed ?

PA Updated by Philippe Antoine about 1 year ago Actions
Copy link
 #16

  • Status changed from Resolved to Closed

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #17

  • Subject changed from bsize needs to err upon non possible matching conditions to detect/bsize: error for impossible matching conditions
Actions
Copy link

Also available in: PDF Atom