Actions
Bug #4688
closeddetect: too many prefilter engines lead to FNs
Affected Versions:
Effort:
Difficulty:
Label:
Description
Fix for QA ticket #4672
Bad int handling leads to missed inspection when prefilter engine list gets too long. In addition to this there is a logic issue that leads to the available bit-space for tracking prefilter engines to overflow. The fix for this is more intrusive, and is not backported to Suricata 5.0. Suricata 5.0 does detect this condition and will issue a warning by default, or an error with -T
.
If you encounter this warning the fix is to upgrade to 6.0.4+.
The warning is
<Warning> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - max number of prefilter engines exceeded (100 >= 62). Risk of False Negatives. See ticket #4688.
The (fatal) error in case of
-T
is<Error> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - max number of prefilter engines exceeded (100 >= 62). Risk of False Negatives. See ticket #4688.
Files
Updated by Jeff Lucovsky over 3 years ago
- Copied from Bug #4685: detect: too many prefilter engines lead to FNs added
Updated by Victor Julien about 3 years ago
- Assignee changed from Jeff Lucovsky to Victor Julien
Updated by Victor Julien about 3 years ago
- Description updated (diff)
- Status changed from Assigned to In Progress
Updated by Victor Julien about 3 years ago
Updated by Victor Julien about 3 years ago
- Status changed from In Progress to Closed
Actions