Project

General

Profile

Actions
Copy link

Bug #451

closed

Unable to identify root cause of error parsing a rule when a long 'Source or Destination address list excedd' the maximum size of the buffer available.

Added by Roberto Martelloni about 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Anoop Saldanha
Target version:
1.3beta2
Affected Versions:
Effort:
Difficulty:
Label:

Description

When I write a rule with a lot of IPv4 address in the source or destination field I get an error on parsing it and in response suricata don't give useful information to identify the root cause of the problem.

The error message response is bellow and attached there is the rule, so anyone can check that a ']' is not missing and the problem is the ' BIG LIST of IPv4 ADDRESS' :>

19/4/2012 -- 10:43:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - not every address block was properly closed in "[ BIG LIST of IPv4 ADDRESS ]", 1 missing closing brackets (]). Note: problem might be in a variable.
19/4/2012 -- 10:43:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip [ BIG LIST of IPv4 ADDRESS ] any <> any any (msg:"IP blacklist APT"; reference:url,boos.core-dumped.info; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:12345600; rev:2;)" from file /etc/suricata/rules/ip-apt.rules at line 3

Files

Download all files
ip-apt.rules (1.65 KB) ip-apt.rules Roberto Martelloni, 04/19/2012 03:49 AM
0001-bug-451-fix-for-parsing-address.-Increase-buffer-siz.patch (2.1 KB) 0001-bug-451-fix-for-parsing-address.-Increase-buffer-siz.patch Anoop Saldanha, 05/04/2012 01:31 AM
0002-Add-a-nice-error-message-when-we-exceeded-address-bu.patch (1.61 KB) 0002-Add-a-nice-error-message-when-we-exceeded-address-bu.patch Anoop Saldanha, 05/04/2012 03:31 AM
Actions
Copy link

Also available in: Atom PDF