Actions
Bug #4898
openBug #4482: detect: detect events not in rules, not tested (and not working?)
detect: Ensure detection events are logged
Affected Versions:
Effort:
Difficulty:
Label:
Description
This parent issue -- 4482 -- will ensure that alerts are generated internally from the events listed below. This issue to ensure that these events are logged when they occur.
There is a special class of 'events' that is currently only used by the swf decoder that runs from the detection engine. In case it finds issues during the decompression process in swf, it sets events.
The events are in detect.h
/* event code */
enum {
#ifdef UNITTESTS
DET_CTX_EVENT_TEST,
#endif
FILE_DECODER_EVENT_NO_MEM,
FILE_DECODER_EVENT_INVALID_SWF_LENGTH,
FILE_DECODER_EVENT_INVALID_SWF_VERSION,
FILE_DECODER_EVENT_Z_DATA_ERROR,
FILE_DECODER_EVENT_Z_STREAM_ERROR,
FILE_DECODER_EVENT_Z_BUF_ERROR,
FILE_DECODER_EVENT_Z_UNKNOWN_ERROR,
FILE_DECODER_EVENT_LZMA_DECODER_ERROR,
FILE_DECODER_EVENT_LZMA_MEMLIMIT_ERROR,
FILE_DECODER_EVENT_LZMA_OPTIONS_ERROR,
FILE_DECODER_EVENT_LZMA_FORMAT_ERROR,
FILE_DECODER_EVENT_LZMA_DATA_ERROR,
FILE_DECODER_EVENT_LZMA_BUF_ERROR,
FILE_DECODER_EVENT_LZMA_UNKNOWN_ERROR,
There appear to be no rules we ship for these and have no tests. DetectEngineGetEvents which should be used to get to the set events is not used, so I suspect the code may not work at all.
If this is indeed a bug then we'll need to eval this for backports.
Updated by Jeff Lucovsky over 2 years ago
- Copied from Bug #4482: detect: detect events not in rules, not tested (and not working?) added
Updated by Jeff Lucovsky over 2 years ago
- Status changed from Assigned to In Review
Updated by Victor Julien over 1 year ago
- Target version changed from 7.0.0-beta1 to 7.0.0-rc1
Updated by Victor Julien about 1 year ago
- Target version changed from 7.0.0-rc1 to 8.0.0-beta1
Actions