Unable to identify root cause of error parsing a rule when a long 'Source or Destination address list excedd' the maximum size of the buffer available.
|Assignee:||Anoop Saldanha||% Done:|
When I write a rule with a lot of IPv4 address in the source or destination field I get an error on parsing it and in response suricata don't give useful information to identify the root cause of the problem.
The error message response is bellow and attached there is the rule, so anyone can check that a ']' is not missing and the problem is the ' BIG LIST of IPv4 ADDRESS' :>
19/4/2012 -- 10:43:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - not every address block was properly closed in "[ BIG LIST of IPv4 ADDRESS ]", 1 missing closing brackets (]). Note: problem might be in a variable.
19/4/2012 -- 10:43:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip [ BIG LIST of IPv4 ADDRESS ] any <> any any (msg:"IP blacklist APT"; reference:url,boos.core-dumped.info; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:12345600; rev:2;)" from file /etc/suricata/rules/ip-apt.rules at line 3
#1 Updated by Peter Manev over 3 years ago
Just double checked with Suricata version 1.3dev (rev 61d5fe3), with the ip-apt.rules file provided.
I can confirm the problem.
If the IPs are 89 and below (count, 89 ip addresses ), there is no issues, as soon as they are 90 and above , we get the aforementioned rule failing to load with wrong err msg.
#4 Updated by Anoop Saldanha about 3 years ago
- File 0001-bug-451-fix-for-parsing-address.-Increase-buffer-siz.patch added
- Status changed from New to Resolved
#5 Updated by Victor Julien about 3 years ago
I think this fix is missing a meaningful error for when the address size limit is reached. Increasing the size certainly limits the possibility of this happening (esp since where is a total rule limit as well). Expansion of vars still allows for overrunning this limit I think, so an error is needed.
#6 Updated by Anoop Saldanha about 3 years ago
yeah. Added a nice error message now.