https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022022-02-22T16:43:37ZOpen Information Security FoundationSuricata - Bug #5151: flowbits: noalert is allowed in rule language with other commandshttps://redmine.openinfosecfoundation.org/issues/5151?journal_id=224952022-02-22T16:43:37ZShivani Bhardwaj
<ul><li><strong>Label</strong> <i>Needs backport to 5.0, Needs backport to 6.0</i> added</li></ul> Suricata - Bug #5151: flowbits: noalert is allowed in rule language with other commandshttps://redmine.openinfosecfoundation.org/issues/5151?journal_id=225412022-02-24T12:11:15ZShivani Bhardwaj
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-1 status-6 priority-4 priority-default closed" href="/issues/5153">Bug #5153</a>: xbits: noalert is allowed in rule language with other commands</i> added</li></ul> Suricata - Bug #5151: flowbits: noalert is allowed in rule language with other commandshttps://redmine.openinfosecfoundation.org/issues/5151?journal_id=225522022-02-24T12:15:13ZShivani Bhardwaj
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-1 status-6 priority-4 priority-default closed" href="/issues/5158">Bug #5158</a>: flowbits: noalert is allowed in rule language with other commands</i> added</li></ul> Suricata - Bug #5151: flowbits: noalert is allowed in rule language with other commandshttps://redmine.openinfosecfoundation.org/issues/5151?journal_id=225542022-02-24T12:15:59ZShivani Bhardwaj
<ul><li><strong>Copied to</strong> <i><a class="issue tracker-1 status-6 priority-4 priority-default closed" href="/issues/5159">Bug #5159</a>: flowbits: noalert is allowed in rule language with other commands</i> added</li></ul> Suricata - Bug #5151: flowbits: noalert is allowed in rule language with other commandshttps://redmine.openinfosecfoundation.org/issues/5151?journal_id=225762022-02-28T07:16:03ZShivani Bhardwaj
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Rejected</i></li></ul><p>The assessment of how this worked or should work was mistaken.</p>
<p>On closer observation, the way it seems to work is:<br />Allocate a flowbits data struct, add it to sigmatch context if there are any commands other than "noalert" <br />If it's a "noalert" command, set noalert flag on the signature, there is no point or need of alloc'ing any struct in this case.</p>
<p>Since this happens for each and every flowbit, if there are multiple flowbits defined in a rule, the above two steps will follow for all.<br />As a result, for a signature like,</p>
<pre><code class="shell syntaxhl" data-language="shell">alert http <span class="nv">$EXTERNAL_NET</span> any -> <span class="nv">$HOME_NET</span> any <span class="o">(</span>msg:<span class="s2">"ET ACTIVEX winhlp32 ActiveX control attack - phase 1"</span><span class="p">;</span> flowbits:noalert<span class="p">;</span> flow: to_client,established<span class="p">;</span> file_data<span class="p">;</span> content:<span class="s2">"|3C|OBJECT"</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"application/x-oleobject"</span><span class="p">;</span> nocase<span class="p">;</span> within:64<span class="p">;</span> content:<span class="s2">"codebase="</span><span class="p">;</span> nocase<span class="p">;</span> content:<span class="s2">"hhctrl.ocx"</span><span class="p">;</span> nocase<span class="p">;</span> within:15<span class="p">;</span> flowbits:set,winhlp32<span class="p">;</span> reference:url,doc.emergingthreats.net/bin/view/Main/2001622<span class="p">;</span> classtype:web-application-attack<span class="p">;</span> sid:2001622<span class="p">;</span> rev:16<span class="p">;</span> metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08<span class="p">;</span><span class="o">)</span>
</code></pre>
<p>First, with <strong>flowbits:noalert;</strong> , the signature is given a flag to ensure that it does not alert even if it does match.<br />Then, with <strong>flowbits:set,winhlp32;</strong>, a flowbit data struct is alloc'd and added to sigmatch table to make sure that it is tracked.</p>
<p>As a result of this, flowbit is set and the sig would not alert as expected.</p>
<p>In conclusion, this already works as expected.</p> Suricata - Bug #5151: flowbits: noalert is allowed in rule language with other commandshttps://redmine.openinfosecfoundation.org/issues/5151?journal_id=251432022-10-25T12:25:16ZVictor Julienvictor@inliniac.net
<ul><li><strong>Assignee</strong> deleted (<del><i>Shivani Bhardwaj</i></del>)</li><li><strong>Target version</strong> deleted (<del><i>7.0.0-beta1</i></del>)</li></ul>