content:"22 2 22"; is parsed without error
This should probably cause suricata to freak out. It was a rule bug in 2035512 and according to @bmurphy even snort throws an error on this.
Updated by Brandon Murphy 11 months ago
Given the following rule:
alert tcp any any -> any any (msg:"test"; content:"|22 2 22|"; sid:1;)
Based on the fast_pattern analysis, Suricata appears to accept this incorrect hex content and actually skips the invalid byte.
== Sid: 1 == alert tcp any any -> any any (msg:"test"; content:"|22 2 22|"; sid:1;) Fast Pattern analysis: Fast pattern matcher: content Flags: None Fast pattern set: no Fast pattern only set: no Fast pattern chop set: no Original content: \x22\x22 Final content: \x22\x22
For comparison sake, snort throws the following fatal error
Initializing rule chains... ERROR: /tmp/test.rules Content hexmode argument has invalid number of hex digits. The argument '|22 2 22|' must contain a full even byte string. Fatal Error, Quitting..
Ideally we can get at least a warning generated on this condition?
Updated by Victor Julien 10 months ago
- Status changed from In Review to Closed