Project

General

Profile

Actions

Feature #5784

closed

detect: allow cross buffer inspection on multi-buffer matches

Added by Philippe Antoine almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Cf calls to InspectionBufferSetupMulti to have the keywords which use multibuffer

If I have the rules

alert mqtt any any -> any any (msg:"HTTP2 - Two Headers - Authority/Method"; mqtt.subscribe.topic; content:"topicX"; mqtt.subscribe.topic; content:"topicY"; sid:5;)
alert mqtt any any -> any any (msg:"HTTP2 - Two Headers - Authority/Method"; mqtt.subscribe.topic; content:"topicY"; sid:6;)
alert mqtt any any -> any any (msg:"HTTP2 - Two Headers - Authority/Method"; mqtt.subscribe.topic; content:"topicX"; sid:7;)

And run them on S-V test mqtt-sub-rules/mqtt5_sub_userpass.pcap

I get alerts for sid 6 and 7 on the same packet and transaction, but not for sid 5

In this pcap, there is a MQTT subscribe for these two different topics : topicX and topicY
But there is no topic which contain both content topicX and topicY at the same time

There is no such feature in the detection engine to have "multiple buffer" keywords have different contents for different buffers (and still have the ability to have multiple content for only one buffer)
The different contents for a unique sm_list (value can be g_http2_header_buffer_id) are aggregated in a single SigMatchData linked list

Victor, assigning to you as this requires deep design


Related issues 2 (0 open2 closed)

Related to Suricata - Bug #5780: HTTP/2 - FN when matching on multiple http2.header contentsClosedPhilippe AntoineActions
Related to Suricata - Documentation #6032: detect: document new multi-instance logicClosedJason TaylorActions
Actions

Also available in: Atom PDF