Bug #451

Unable to identify root cause of error parsing a rule when a long 'Source or Destination address list excedd' the maximum size of the buffer available.

Added by Roberto Martelloni about 2 years ago. Updated almost 2 years ago.

Status:ClosedStart date:04/19/2012
Priority:NormalDue date:
Assignee:Anoop Saldanha% Done:

0%

Category:-Estimated time:4.00 hours
Target version:1.3beta2

Description

When I write a rule with a lot of IPv4 address in the source or destination field I get an error on parsing it and in response suricata don't give useful information to identify the root cause of the problem.

The error message response is bellow and attached there is the rule, so anyone can check that a ']' is not missing and the problem is the ' BIG LIST of IPv4 ADDRESS' :>

19/4/2012 -- 10:43:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - not every address block was properly closed in "[ BIG LIST of IPv4 ADDRESS ]", 1 missing closing brackets (]). Note: problem might be in a variable.
19/4/2012 -- 10:43:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip [ BIG LIST of IPv4 ADDRESS ] any <> any any (msg:"IP blacklist APT"; reference:url,boos.core-dumped.info; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:12345600; rev:2;)" from file /etc/suricata/rules/ip-apt.rules at line 3

ip-apt.rules (1.65 KB) Roberto Martelloni, 04/19/2012 03:49 AM

0001-bug-451-fix-for-parsing-address.-Increase-buffer-siz.patch Magnifier (2.1 KB) Anoop Saldanha, 05/04/2012 01:31 AM

0002-Add-a-nice-error-message-when-we-exceeded-address-bu.patch Magnifier (1.61 KB) Anoop Saldanha, 05/04/2012 03:31 AM

History

#1 Updated by Peter Manev about 2 years ago

Hi ,
Just double checked with Suricata version 1.3dev (rev 61d5fe3), with the ip-apt.rules file provided.
I can confirm the problem.

If the IPs are 89 and below (count, 89 ip addresses ), there is no issues, as soon as they are 90 and above , we get the aforementioned rule failing to load with wrong err msg.

thanks

#2 Updated by Anoop Saldanha almost 2 years ago

  • Assignee set to Anoop Saldanha

#3 Updated by Victor Julien almost 2 years ago

  • Priority changed from Low to Normal
  • Target version changed from 1.2.1 to 1.3beta2
  • Estimated time set to 4.00

#4 Updated by Anoop Saldanha almost 2 years ago

fix attached.

#5 Updated by Victor Julien almost 2 years ago

I think this fix is missing a meaningful error for when the address size limit is reached. Increasing the size certainly limits the possibility of this happening (esp since where is a total rule limit as well). Expansion of vars still allows for overrunning this limit I think, so an error is needed.

#6 Updated by Anoop Saldanha almost 2 years ago

yeah. Added a nice error message now.

#7 Updated by Victor Julien almost 2 years ago

  • Status changed from Resolved to Closed

Both applied, thanks Anoop!

Also available in: Atom PDF