Project

General

Profile

Actions

Bug #5151

closed

flowbits: noalert is allowed in rule language with other commands

Added by Shivani Bhardwaj almost 3 years ago. Updated about 2 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

This leads to the entire struct initialization part being skipped.


Related issues 3 (0 open3 closed)

Copied to Suricata - Bug #5153: xbits: noalert is allowed in rule language with other commandsRejectedActions
Copied to Suricata - Bug #5158: flowbits: noalert is allowed in rule language with other commandsRejectedShivani BhardwajActions
Copied to Suricata - Bug #5159: flowbits: noalert is allowed in rule language with other commandsRejectedJeff LucovskyActions
Actions #1

Updated by Shivani Bhardwaj almost 3 years ago

  • Label Needs backport to 5.0, Needs backport to 6.0 added
Actions #2

Updated by Shivani Bhardwaj almost 3 years ago

  • Copied to Bug #5153: xbits: noalert is allowed in rule language with other commands added
Actions #3

Updated by Shivani Bhardwaj almost 3 years ago

  • Copied to Bug #5158: flowbits: noalert is allowed in rule language with other commands added
Actions #4

Updated by Shivani Bhardwaj almost 3 years ago

  • Copied to Bug #5159: flowbits: noalert is allowed in rule language with other commands added
Actions #5

Updated by Shivani Bhardwaj almost 3 years ago

  • Status changed from Assigned to Rejected

The assessment of how this worked or should work was mistaken.

On closer observation, the way it seems to work is:
Allocate a flowbits data struct, add it to sigmatch context if there are any commands other than "noalert"
If it's a "noalert" command, set noalert flag on the signature, there is no point or need of alloc'ing any struct in this case.

Since this happens for each and every flowbit, if there are multiple flowbits defined in a rule, the above two steps will follow for all.
As a result, for a signature like,

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET ACTIVEX winhlp32 ActiveX control attack - phase 1"; flowbits:noalert; flow: to_client,established; file_data; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within:64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within:15; flowbits:set,winhlp32; reference:url,doc.emergingthreats.net/bin/view/Main/2001622; classtype:web-application-attack; sid:2001622; rev:16; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ACTIVEX, signature_severity Major, tag ActiveX, updated_at 2017_05_08;)

First, with flowbits:noalert; , the signature is given a flag to ensure that it does not alert even if it does match.
Then, with flowbits:set,winhlp32;, a flowbit data struct is alloc'd and added to sigmatch table to make sure that it is tracked.

As a result of this, flowbit is set and the sig would not alert as expected.

In conclusion, this already works as expected.

Actions #6

Updated by Victor Julien about 2 years ago

  • Assignee deleted (Shivani Bhardwaj)
  • Target version deleted (7.0.0-beta1)
Actions

Also available in: Atom PDF