Project

General

Profile

Actions

Bug #4688

closed

detect: too many prefilter engines lead to FNs

Added by Jeff Lucovsky about 1 year ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Fix for QA ticket #4672

Bad int handling leads to missed inspection when prefilter engine list gets too long. In addition to this there is a logic issue that leads to the available bit-space for tracking prefilter engines to overflow. The fix for this is more intrusive, and is not backported to Suricata 5.0. Suricata 5.0 does detect this condition and will issue a warning by default, or an error with -T.

If you encounter this warning the fix is to upgrade to 6.0.4+.

The warning is

<Warning> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - max number of prefilter engines exceeded (100 >= 62). Risk of False Negatives. See ticket #4688.

The (fatal) error in case of -T is
<Error> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - max number of prefilter engines exceeded (100 >= 62). Risk of False Negatives. See ticket #4688.


Files

test.rules (9.93 KB) test.rules Victor Julien, 09/15/2021 08:14 AM

Related issues 1 (0 open1 closed)

Copied from Bug #4685: detect: too many prefilter engines lead to FNsClosedVictor JulienActions
Actions #1

Updated by Jeff Lucovsky about 1 year ago

  • Copied from Bug #4685: detect: too many prefilter engines lead to FNs added
Actions #2

Updated by Victor Julien 12 months ago

  • Assignee changed from Jeff Lucovsky to Victor Julien
Actions #3

Updated by Victor Julien 12 months ago

  • Description updated (diff)
  • Status changed from Assigned to In Progress
Actions #5

Updated by Victor Julien 12 months ago

  • Status changed from In Progress to Closed
Actions #6

Updated by Victor Julien 10 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF