Project

General

Profile

Actions

Bug #4482

open

detect: detect events not in rules, not tested (and not working?)

Added by Victor Julien about 3 years ago. Updated about 1 year ago.

Status:
In Review
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

There is a special class of 'events' that is currently only used by the swf decoder that runs from the detection engine. In case it finds issues during the decompression process in swf, it sets events.

The events are in detect.h

/* event code */
enum {
#ifdef UNITTESTS
    DET_CTX_EVENT_TEST,
#endif
    FILE_DECODER_EVENT_NO_MEM,
    FILE_DECODER_EVENT_INVALID_SWF_LENGTH,
    FILE_DECODER_EVENT_INVALID_SWF_VERSION,
    FILE_DECODER_EVENT_Z_DATA_ERROR,
    FILE_DECODER_EVENT_Z_STREAM_ERROR,
    FILE_DECODER_EVENT_Z_BUF_ERROR,
    FILE_DECODER_EVENT_Z_UNKNOWN_ERROR,
    FILE_DECODER_EVENT_LZMA_DECODER_ERROR,
    FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR,
    FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR,
    FILE_DECODER_EVENT_LZMA_FORMAT_ERROR,
    FILE_DECODER_EVENT_LZMA_DATA_ERROR,
    FILE_DECODER_EVENT_LZMA_BUF_ERROR,
    FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR,

There appear to be no rules we ship for these and have no tests. DetectEngineGetEvents which should be used to get to the set events is not used, so I suspect the code may not work at all.

If this is indeed a bug then we'll need to eval this for backports.


Subtasks 1 (1 open0 closed)

Bug #4898: detect: Ensure detection events are loggedIn ReviewJeff LucovskyActions
Actions #1

Updated by Jeff Lucovsky almost 3 years ago

In addition, there's an additional detect event not handled properly -- events set with DetectEngineSetEvent are effectively ignored.

$ gg DetectEngineSetEvent
src/detect-engine.c:1035:        DetectEngineSetEvent(det_ctx, DETECT_EVENT_TOO_MANY_BUFFERS);
src/detect-engine.c:4243:void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e)
src/detect.h:1498:void DetectEngineSetEvent(DetectEngineThreadCtx *det_ctx, uint8_t e);
src/util-file-decompression.c:95:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_LENGTH);
src/util-file-decompression.c:111:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_VERSION);
src/util-file-decompression.c:117:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_INVALID_SWF_VERSION);
src/util-file-decompression.c:134:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_NO_MEM);
src/util-file-swf-decompression.c:105:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_DATA_ERROR);
src/util-file-swf-decompression.c:109:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_STREAM_ERROR);
src/util-file-swf-decompression.c:113:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_BUF_ERROR);
src/util-file-swf-decompression.c:117:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_Z_UNKNOWN_ERROR);
src/util-file-swf-decompression.c:146:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_FORMAT_ERROR);
src/util-file-swf-decompression.c:151:        DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_DECODER_ERROR);
src/util-file-swf-decompression.c:168:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR);
src/util-file-swf-decompression.c:172:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR);
src/util-file-swf-decompression.c:176:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_DATA_ERROR);
src/util-file-swf-decompression.c:180:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_BUF_ERROR);
src/util-file-swf-decompression.c:184:            DetectEngineSetEvent(det_ctx, FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR);

Actions #2

Updated by Jeff Lucovsky over 2 years ago

  • Status changed from Assigned to In Review
Actions #3

Updated by Jeff Lucovsky over 2 years ago

  • Copied to Bug #4898: detect: Ensure detection events are logged added
Actions #4

Updated by Victor Julien over 1 year ago

  • Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Actions #5

Updated by Victor Julien over 1 year ago

  • Subtask #4898 added
Actions #6

Updated by Victor Julien over 1 year ago

  • Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Actions #7

Updated by Philippe Antoine about 1 year ago

Indeed DetectEngineGetEvents seems unused

Is there a ticket for swf obsolescence ?

Actions

Also available in: Atom PDF