Actions
Bug #4820
closedxbits: no error on invalid 'expire' values
Affected Versions:
Effort:
Difficulty:
Label:
Description
alert http any any -> any any (msg:"TEST - No Error")"; flow:established,to_server; http.method; content:"GET"; xbits:set,ET.2020_8260.1,track ip_src,expire 10,noalert; sid:1;) alert http any any -> any any (msg:"TEST - Error")"; flow:established,to_server; http.method; content:"GET"; xbits:set,ET.2020_8260.1,noalert,track ip_src,expire 10; sid:2;) alert http any any -> any any (msg:"TEST - No Error")"; flow:established,to_server; http.method; content:"GET"; xbits:set,ET.2020_8260.1,track ip_src,expire 10,asdf; sid:3;)
only sid 2 produces an error, despite that all 3 sids should be considered "invalid"
Error Produced by sid:2
[1539] 27/10/2021 -- 21:58:51 - (detect-xbits.c:208) <Error> (DetectXbitParse) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - "set,ET.2020_8260.1,noalert,track ip_src,expire 10" is not a valid setting for xbits.
I'd also add that the documentation is a bit vague on the proper use of the noalert keyword in relation to xbits. It currently reads
To not alert, use noalert;
I suggest adding a bit of context which indicates it should be a standalone keyword in the rule and not an "option" to the xbits keyword.
Updated by Jeff Lucovsky about 3 years ago
- Copied from Bug #4786: xbits: no error on invalid 'expire' values added
Updated by Jeff Lucovsky about 3 years ago
- Target version changed from 6.0.4 to 6.0.5
Updated by Shivani Bhardwaj almost 3 years ago
- Status changed from Assigned to In Review
Updated by Shivani Bhardwaj almost 3 years ago
- Status changed from In Review to Closed
Updated by Shivani Bhardwaj almost 3 years ago
- Related to Optimization #5207: Common Rust parser for *bits added
Updated by Shivani Bhardwaj almost 3 years ago
- Related to deleted (Optimization #5207: Common Rust parser for *bits)
Actions