Bug #4482: detect: detect events not in rules, not tested (and not working?) - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #4482

open

VJ JL

detect: detect events not in rules, not tested (and not working?)

Bug #4482: detect: detect events not in rules, not tested (and not working?)

Added by Victor Julien almost 5 years ago. Updated 10 months ago.

Status:

In Progress

Priority:

Normal

Assignee:

Jeff Lucovsky

Target version:

9.0.0-beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

There is a special class of 'events' that is currently only used by the swf decoder that runs from the detection engine. In case it finds issues during the decompression process in swf, it sets events.

The events are in detect.h

/* event code */
enum {
#ifdef UNITTESTS
    DET_CTX_EVENT_TEST,
#endif
    FILE_DECODER_EVENT_NO_MEM,
    FILE_DECODER_EVENT_INVALID_SWF_LENGTH,
    FILE_DECODER_EVENT_INVALID_SWF_VERSION,
    FILE_DECODER_EVENT_Z_DATA_ERROR,
    FILE_DECODER_EVENT_Z_STREAM_ERROR,
    FILE_DECODER_EVENT_Z_BUF_ERROR,
    FILE_DECODER_EVENT_Z_UNKNOWN_ERROR,
    FILE_DECODER_EVENT_LZMA_DECODER_ERROR,
    FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR,
    FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR,
    FILE_DECODER_EVENT_LZMA_FORMAT_ERROR,
    FILE_DECODER_EVENT_LZMA_DATA_ERROR,
    FILE_DECODER_EVENT_LZMA_BUF_ERROR,
    FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR,

There appear to be no rules we ship for these and have no tests. DetectEngineGetEvents which should be used to get to the set events is not used, so I suspect the code may not work at all.

If this is indeed a bug then we'll need to eval this for backports.

Subtasks 1 (1 open — 0 closed)

JL Updated by Jeff Lucovsky almost 5 years ago Actions
Copy link
#1

In addition, there's an additional detect event not handled properly -- events set with DetectEngineSetEvent are effectively ignored.

$ gg DetectEngineSetEvent
src/detect-engine.c:1035:        DetectEngineSetEvent(det_ctx, DETECT_EVENT_TOO_MANY_BUFFERS);
src/detect-engine.c:4243:void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
src/detect.h:1498:void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e);
src/util-file-decompression.c:95:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_LENGTH);
src/util-file-decompression.c:111:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_VERSION);
src/util-file-decompression.c:117:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_VERSION);
src/util-file-decompression.c:134:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_NO_MEM);
src/util-file-swf-decompression.c:105:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_DATA_ERROR);
src/util-file-swf-decompression.c:109:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_STREAM_ERROR);
src/util-file-swf-decompression.c:113:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_BUF_ERROR);
src/util-file-swf-decompression.c:117:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_UNKNOWN_ERROR);
src/util-file-swf-decompression.c:146:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_FORMAT_ERROR);
src/util-file-swf-decompression.c:151:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_DECODER_ERROR);
src/util-file-swf-decompression.c:168:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR);
src/util-file-swf-decompression.c:172:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR);
src/util-file-swf-decompression.c:176:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_DATA_ERROR);
src/util-file-swf-decompression.c:180:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_BUF_ERROR);
src/util-file-swf-decompression.c:184:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR);