Feature #5576
open
Dataset is setting data despite the signature being a complete match
Added by Andreas Herz almost 3 years ago.
Updated 15 days ago.
Description
The following rule doesn't match on the content of the pcap:
alert http any any -> $HOME_NET any (msg:"HTTP learning"; flow:established,to_client; http.content_type; content:"noone"; http.server; content:"ECS"; fast_pattern; dataset:set,http,type string,state output/http.intel; sid:2; rev:1; priority:2;)
But the data for the dataset is still set. This is not expected if we compare datasets to behave like flowbits at that point. A flowbit is only set POSTMATCH, so dataset should as well when setting actual data to a set.
Attached pcap to reproduce it.
Suricata-Verify test will follow
Files
The set-alert pattern is used to match on the initial set.
- Status changed from Assigned to In Review
- Assignee changed from Shivani Bhardwaj to Eric Leblond
- Assignee changed from Eric Leblond to Philippe Antoine
- Target version changed from TBD to 8.0.0-beta1
- Status changed from In Review to In Progress
- Related to Security #7195: datasets: rule with unset makes suricata abort added
- Related to Bug #7197: detect/flowvars: persist if the inspection happens on multiple packets added
- Status changed from In Progress to In Review
- Related to Bug #7326: http: FN with prefilter if the first of multi buffer did not match added
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
- Target version changed from 8.0.0-rc1 to 8.0.0
- Target version changed from 8.0.0 to 9.0.0-beta1
Will consider backport to 8 based on complexity of the fix.
- Tracker changed from Bug to Feature
- Affected Versions deleted (
6.0.8)
Also available in: Atom
PDF