Actions
Bug #5576
openDataset is setting data despite the signature being a complete match
Affected Versions:
Effort:
Difficulty:
Label:
Description
The following rule doesn't match on the content of the pcap:
alert http any any -> $HOME_NET any (msg:"HTTP learning"; flow:established,to_client; http.content_type; content:"noone"; http.server; content:"ECS"; fast_pattern; dataset:set,http,type string,state output/http.intel; sid:2; rev:1; priority:2;)
But the data for the dataset is still set. This is not expected if we compare datasets to behave like flowbits at that point. A flowbit is only set POSTMATCH, so dataset should as well when setting actual data to a set.
Attached pcap to reproduce it.
Suricata-Verify test will follow
Files
Updated by Andreas Herz over 2 years ago
Updated by Victor Julien over 2 years ago
The set-alert pattern is used to match on the initial set.
Updated by Eric Leblond over 2 years ago
- Status changed from Assigned to In Review
- Assignee changed from Shivani Bhardwaj to Eric Leblond
Code proposal for master: https://github.com/OISF/suricata/pull/8114
Updated by Philippe Antoine 9 months ago
- Assignee changed from Eric Leblond to Philippe Antoine
- Target version changed from TBD to 8.0.0-beta1
Taking this over from https://github.com/OISF/suricata/pull/8123
Updated by Philippe Antoine 9 months ago
- Status changed from In Review to In Progress
Updated by Philippe Antoine 9 months ago
- Related to Security #7195: datasets: rule with unset makes suricata abort added
Updated by Philippe Antoine 9 months ago
- Related to Bug #7197: detect/flowvars: persist if the inspection happens on multiple packets added
Updated by Philippe Antoine 8 months ago
- Status changed from In Progress to In Review
Updated by Philippe Antoine 7 months ago
- Related to Bug #7326: http: FN with prefilter if the first of multi buffer did not match added
Updated by Victor Julien about 1 month ago
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Actions