Actions
Bug #4688
closed
JL
VJ
detect: too many prefilter engines lead to FNs
Bug #4688:
detect: too many prefilter engines lead to FNs
Affected Versions:
Effort:
Difficulty:
Label:
Description
Fix for QA ticket #4672
Bad int handling leads to missed inspection when prefilter engine list gets too long. In addition to this there is a logic issue that leads to the available bit-space for tracking prefilter engines to overflow. The fix for this is more intrusive, and is not backported to Suricata 5.0. Suricata 5.0 does detect this condition and will issue a warning by default, or an error with -T.
If you encounter this warning the fix is to upgrade to 6.0.4+.
The warning is
<Warning> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - max number of prefilter engines exceeded (100 >= 62). Risk of False Negatives. See ticket #4688.
The (fatal) error in case of
-T is<Error> - [ERRCODE: SC_ERR_DETECT_PREPARE(173)] - max number of prefilter engines exceeded (100 >= 62). Risk of False Negatives. See ticket #4688.
Files
JL Updated by Jeff Lucovsky over 4 years ago
- Copied from Bug #4685: detect: too many prefilter engines lead to FNs added
VJ Updated by Victor Julien over 4 years ago
- Assignee changed from Jeff Lucovsky to Victor Julien
VJ Updated by Victor Julien over 4 years ago
- Description updated (diff)
- Status changed from Assigned to In Progress
VJ Updated by Victor Julien over 4 years ago
VJ Updated by Victor Julien over 4 years ago
- Status changed from In Progress to Closed
VJ Updated by Victor Julien over 4 years ago
- Private changed from Yes to No
Actions