Project

General

Profile

Actions
Copy link

Feature #5576

open
AH PA

Dataset is setting data despite the signature being a complete match

Feature #5576: Dataset is setting data despite the signature being a complete match

Added by Andreas Herz over 3 years ago. Updated 9 months ago.

Status:
In Review
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

The following rule doesn't match on the content of the pcap:

alert http any any -> $HOME_NET any (msg:"HTTP learning"; flow:established,to_client; http.content_type; content:"noone"; http.server; content:"ECS"; fast_pattern; dataset:set,http,type string,state output/http.intel; sid:2; rev:1; priority:2;)

But the data for the dataset is still set. This is not expected if we compare datasets to behave like flowbits at that point. A flowbit is only set POSTMATCH, so dataset should as well when setting actual data to a set.

Attached pcap to reproduce it.
Suricata-Verify test will follow

Files

input.pcap (1.88 KB) input.pcap Andreas Herz, 10/14/2022 11:33 AM

Related issues 4 (2 open2 closed)

Related to Suricata - Security #7195: datasets: rule with unset makes suricata abortClosedPhilippe AntoineActions
Related to Suricata - Bug #7197: detect/flowvars: persist if the inspection happens on multiple packetsAssignedOISF DevActions
Related to Suricata - Bug #7326: http: FN with prefilter if the first of multi buffer did not matchClosedPhilippe AntoineActions
Blocks Suricata - Story #7900: 9.0.0: rules: improve rule languageAssignedVictor JulienActions

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #2

The set-alert pattern is used to match on the initial set.

EL Updated by Eric Leblond over 3 years ago Actions
Copy link
 #3

  • Status changed from Assigned to In Review
  • Assignee changed from Shivani Bhardwaj to Eric Leblond

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #4

  • Assignee changed from Eric Leblond to Philippe Antoine
  • Target version changed from TBD to 8.0.0-beta1

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #5

  • Status changed from In Review to In Progress

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #6

  • Related to Security #7195: datasets: rule with unset makes suricata abort added

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #7

  • Related to Bug #7197: detect/flowvars: persist if the inspection happens on multiple packets added

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #8

  • Status changed from In Progress to In Review

PA Updated by Philippe Antoine over 1 year ago Actions
Copy link
 #9

  • Related to Bug #7326: http: FN with prefilter if the first of multi buffer did not match added

VJ Updated by Victor Julien 12 months ago Actions
Copy link
 #10

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1

SB Updated by Shivani Bhardwaj 10 months ago Actions
Copy link
 #11

  • Target version changed from 8.0.0-rc1 to 8.0.0

VJ Updated by Victor Julien 10 months ago Actions
Copy link
 #12

  • Target version changed from 8.0.0 to 9.0.0-beta1

Will consider backport to 8 based on complexity of the fix.

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
 #13

  • Tracker changed from Bug to Feature
  • Affected Versions deleted (6.0.8)

PA Updated by Philippe Antoine 7 months ago Actions
Copy link
 #14

  • Blocks Story #7900: 9.0.0: rules: improve rule language added
Actions
Copy link

Also available in: PDF Atom