Actions
Bug #3747
closedbsize needs to err upon non possible matching conditions (5.0.x)
Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
The following does not err (but it should)
cat bsize.rules 
alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; bsize:2; sid:111; rev:1;)
/opt/suritest/bin/suricata -l log/ -S bsize.rules --engine-analysis  ; cat log/rules_analysis.txt
[693058] 27/4/2020 -- 22:19:00 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in USER mode
-------------------------------------------------------------------
Date: 27/4/2020 -- 22:19:00
-------------------------------------------------------------------
== Sid: 111 ==
alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; bsize:2; sid:111; rev:1;)
    Rule matches on http uri buffer.
    App layer protocol is http.
    Rule contains 0 content options, 1 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "abcdefgh123456" on "http request uri (http_uri)" buffer.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.
/opt/suritest/bin/suricata -l log/ -S bsize.rules -T
[693188] 27/4/2020 -- 22:21:40 - (suricata.c:1582) <Info> (ParseCommandLine) -- Running suricata under test mode
[693188] 27/4/2020 -- 22:21:40 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in SYSTEM mode
[693188] 27/4/2020 -- 22:21:41 - (suricata.c:2752) <Notice> (SuricataMain) -- Configuration provided was successfully loaded. Exiting.
	If urilen:2 is added it errors properly
[693684] 27/4/2020 -- 22:38:21 - (suricata.c:1582) <Info> (ParseCommandLine) -- Running suricata under test mode [693684] 27/4/2020 -- 22:38:21 - (suricata.c:1056) <Notice> (LogVersion) -- This is Suricata version 6.0.0-dev (eef776087 2020-04-27) running in SYSTEM mode [693684] 27/4/2020 -- 22:38:21 - (detect-urilen.c:356) <Error> (DetectUrilenValidateContent) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - depth or urilen 2 smaller than content len 14 [693684] 27/4/2020 -- 22:38:21 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> any any (msg:"bsize test TEST"; http.uri; content:"abcdefgh123456"; urilen:2; sid:111; rev:1;)" from file bsize.rules at line 3 [693684] 27/4/2020 -- 22:38:21 - (detect-engine-loader.c:347) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rules were loaded! [693684] 27/4/2020 -- 22:38:21 - (suricata.c:2154) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.
Updated by Jeff Lucovsky over 5 years ago
- Copied from Bug #3682: detect/bsize: error for impossible matching conditions added
Updated by Nick Price over 5 years ago
Pretty new to this part of the codebase but I have a quick fix in place at https://github.com/DominoTree/suricata/commit/80eee4b98c61bde0f2f08b052b1ab07738235859
I'm sure I've done several things the wrong way here and I wasn't sure if we need to change things here to use callbacks or not. Let me know of any changes I should make or different approaches I should use and I'll get them sorted ASAP.
Updated by Victor Julien about 5 years ago
- Subject changed from bsize needs to err upon non possible matching conditions to bsize needs to err upon non possible matching conditions (5.0.x)
- Target version changed from 5.0.4 to TBD
Not yet fixed in master, so backport will wait for that.
Updated by Victor Julien over 3 years ago
- Status changed from Assigned to Rejected
- Assignee deleted (Jeff Lucovsky)
- Target version deleted (TBD)
5.0.x is too close to EOL
Actions