Actions
Bug #4482
opendetect: detect events not in rules, not tested (and not working?)
Affected Versions:
Effort:
Difficulty:
Label:
Description
There is a special class of 'events' that is currently only used by the swf decoder that runs from the detection engine. In case it finds issues during the decompression process in swf, it sets events.
The events are in detect.h
/* event code */
enum {
#ifdef UNITTESTS
DET_CTX_EVENT_TEST,
#endif
FILE_DECODER_EVENT_NO_MEM,
FILE_DECODER_EVENT_INVALID_SWF_LENGTH,
FILE_DECODER_EVENT_INVALID_SWF_VERSION,
FILE_DECODER_EVENT_Z_DATA_ERROR,
FILE_DECODER_EVENT_Z_STREAM_ERROR,
FILE_DECODER_EVENT_Z_BUF_ERROR,
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR,
FILE_DECODER_EVENT_LZMA_DECODER_ERROR,
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR,
FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR,
FILE_DECODER_EVENT_LZMA_FORMAT_ERROR,
FILE_DECODER_EVENT_LZMA_DATA_ERROR,
FILE_DECODER_EVENT_LZMA_BUF_ERROR,
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR,
There appear to be no rules we ship for these and have no tests. DetectEngineGetEvents
which should be used to get to the set events is not used, so I suspect the code may not work at all.
If this is indeed a bug then we'll need to eval this for backports.
Updated by Jeff Lucovsky over 3 years ago
In addition, there's an additional detect event not handled properly -- events set with DetectEngineSetEvent
are effectively ignored.
$ gg DetectEngineSetEvent src/detect-engine.c:1035: DetectEngineSetEvent(det_ctx, DETECT_EVENT_TOO_MANY_BUFFERS); src/detect-engine.c:4243:void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e) src/detect.h:1498:void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e); src/util-file-decompression.c:95: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_LENGTH); src/util-file-decompression.c:111: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_VERSION); src/util-file-decompression.c:117: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_VERSION); src/util-file-decompression.c:134: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_NO_MEM); src/util-file-swf-decompression.c:105: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_DATA_ERROR); src/util-file-swf-decompression.c:109: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_STREAM_ERROR); src/util-file-swf-decompression.c:113: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_BUF_ERROR); src/util-file-swf-decompression.c:117: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_UNKNOWN_ERROR); src/util-file-swf-decompression.c:146: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_FORMAT_ERROR); src/util-file-swf-decompression.c:151: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_DECODER_ERROR); src/util-file-swf-decompression.c:168: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR); src/util-file-swf-decompression.c:172: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR); src/util-file-swf-decompression.c:176: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_DATA_ERROR); src/util-file-swf-decompression.c:180: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_BUF_ERROR); src/util-file-swf-decompression.c:184: DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR);
Updated by Jeff Lucovsky about 3 years ago
- Status changed from Assigned to In Review
Updated by Jeff Lucovsky about 3 years ago
- Copied to Bug #4898: detect: Ensure detection events are logged added
Updated by Victor Julien about 2 years ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien almost 2 years ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Updated by Philippe Antoine over 1 year ago
Indeed DetectEngineGetEvents
seems unused
Is there a ticket for swf obsolescence ?
Actions