Actions
Bug #5201
closed
GT
JI
content:"22 2 22"; is parsed without error
Bug #5201:
content:"22 2 22"; is parsed without error
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0
Description
This should probably cause suricata to freak out. It was a rule bug in 2035512 and according to @bmurphy even snort throws an error on this.
BM Updated by Brandon Murphy about 4 years ago
Given the following rule:
alert tcp any any -> any any (msg:"test"; content:"|22 2 22|"; sid:1;)
Based on the fast_pattern analysis, Suricata appears to accept this incorrect hex content and actually skips the invalid byte.
== Sid: 1 ==
alert tcp any any -> any any (msg:"test"; content:"|22 2 22|"; sid:1;)
Fast Pattern analysis:
Fast pattern matcher: content
Flags: None
Fast pattern set: no
Fast pattern only set: no
Fast pattern chop set: no
Original content: \x22\x22
Final content: \x22\x22
For comparison sake, snort throws the following fatal error
Initializing rule chains... ERROR: /tmp/test.rules Content hexmode argument has invalid number of hex digits. The argument '|22 2 22|' must contain a full even byte string. Fatal Error, Quitting..
Ideally we can get at least a warning generated on this condition?
JI Updated by Jason Ish about 4 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jason Ish
- Target version changed from TBD to 7.0.0-beta1
- Affected Versions 6.0.4 added
Assigning to me, I fixed this while taking a closer look. Will do a PR tomorrow.
JI Updated by Jason Ish about 4 years ago
- Status changed from Assigned to In Review
JI Updated by Jason Ish about 4 years ago
- Label Needs backport to 5.0, Needs backport to 6.0 added
JL Updated by Jeff Lucovsky about 4 years ago
- Copied to Bug #5212: content:"22 2 22"; is parsed without error added
JL Updated by Jeff Lucovsky about 4 years ago
- Copied to Bug #5213: content:"22 2 22"; is parsed without error added
VJ Updated by Victor Julien almost 4 years ago
- Status changed from In Review to Closed
Actions