Project

General

Profile

Actions

Bug #5201

closed

content:"22 2 22"; is parsed without error

Added by Gianni Tedesco about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0

Description

This should probably cause suricata to freak out. It was a rule bug in 2035512 and according to @bmurphy even snort throws an error on this.


Related issues 2 (0 open2 closed)

Copied to Suricata - Bug #5212: content:"22 2 22"; is parsed without errorClosedVictor JulienActions
Copied to Suricata - Bug #5213: content:"22 2 22"; is parsed without errorClosedJeff LucovskyActions
Actions #1

Updated by Brandon Murphy about 2 years ago

Given the following rule:

alert tcp any any -> any any (msg:"test"; content:"|22 2 22|"; sid:1;)

Based on the fast_pattern analysis, Suricata appears to accept this incorrect hex content and actually skips the invalid byte.

== Sid: 1 ==
alert tcp any any -> any any (msg:"test"; content:"|22 2 22|"; sid:1;)
    Fast Pattern analysis:
        Fast pattern matcher: content
        Flags: None
        Fast pattern set: no
        Fast pattern only set: no
        Fast pattern chop set: no
        Original content: \x22\x22
        Final content: \x22\x22

For comparison sake, snort throws the following fatal error

Initializing rule chains...
ERROR: /tmp/test.rules Content hexmode argument has invalid number of hex digits.  The argument '|22 2 22|' must contain a full even byte string.
Fatal Error, Quitting..

Ideally we can get at least a warning generated on this condition?

Actions #2

Updated by Jason Ish about 2 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Jason Ish
  • Target version changed from TBD to 7.0.0-beta1
  • Affected Versions 6.0.4 added

Assigning to me, I fixed this while taking a closer look. Will do a PR tomorrow.

Actions #3

Updated by Jason Ish about 2 years ago

  • Status changed from Assigned to In Review
Actions #4

Updated by Jason Ish about 2 years ago

  • Label Needs backport to 5.0, Needs backport to 6.0 added
Actions #5

Updated by Jeff Lucovsky about 2 years ago

  • Copied to Bug #5212: content:"22 2 22"; is parsed without error added
Actions #6

Updated by Jeff Lucovsky about 2 years ago

  • Copied to Bug #5213: content:"22 2 22"; is parsed without error added
Actions

Also available in: Atom PDF