Bug #562: normal pattern and "chopped" pattern share id, leading to possible FP - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #562

closed

normal pattern and "chopped" pattern share id, leading to possible FP

Added by Victor Julien over 11 years ago. Updated over 11 years ago.

Status:

Closed

Priority:

High

Assignee:

Anoop Saldanha

Target version:

1.3.2

Affected Versions:

Effort:

Difficulty:

Label:

Description

detect validation trusts mpm, but due to shared id match of pattern may actually be a partial match

Please create a patch for 1.3.x and master branches.

Please also add a unit test to make sure a normal and a fp chop pattern won't get the same id.

Actions

Copy link

Updated by Victor Julien over 11 years ago

Priority changed from Normal to High

Actions

Copy link

Updated by Anoop Saldanha over 11 years ago

Status changed from Assigned to Resolved

There are 2 ways to fix this -

1. Update the pattern id retrieval.
2. Disable inspection bypass.

Solution (1) requires changes which not be advisable going into 1.3.2. - https://github.com/inliniac/suricata/pull/114

Solution (2) is the suggested and supplied solution for 1.3.x.

1.4beta, i.e. bug #574 will solve this using (1)

Actions

Copy link

Updated by Victor Julien over 11 years ago

Status changed from Resolved to Closed
% Done changed from 0 to 100

Merged https://github.com/inliniac/suricata/pull/114, thanks!

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #562

normal pattern and "chopped" pattern share id, leading to possible FP

Updated by Victor Julien over 11 years ago

Updated by Anoop Saldanha over 11 years ago

Updated by Victor Julien over 11 years ago