https://redmine.openinfosecfoundation.org/https://redmine.openinfosecfoundation.org/favicon.ico?17011170022012-10-20T04:37:50ZOpen Information Security FoundationSuricata - Bug #599: IP Rules Failing "not" matchinghttps://redmine.openinfosecfoundation.org/issues/599?journal_id=23902012-10-20T04:37:50ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>Anoop Saldanha</i></li><li><strong>Target version</strong> set to <i>1.4beta3</i></li></ul><p>Maybe the ip-only code doesn't handle negated matching very well.</p>
<p>Can you add unittests?</p>
<p>A quick fix may be to exclude rules with negated addresses from ip only, but ideally we'd just support it properly.</p> Suricata - Bug #599: IP Rules Failing "not" matchinghttps://redmine.openinfosecfoundation.org/issues/599?journal_id=23912012-10-20T12:41:57ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul></ul><p>Going for the quick fix for now.</p>
<p>Will add the unittests as well.</p> Suricata - Bug #599: IP Rules Failing "not" matchinghttps://redmine.openinfosecfoundation.org/issues/599?journal_id=23922012-10-21T22:18:07ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul></ul><p>[192.168.0.0/16,!192.168.1.0/24,192.168.1.1]</p>
<p>What would be the interpretation for this?</p>
<p>Is it,</p>
<p>192.168.0.0 - 192.168.0.255, 192.168.1.1 - 192.168.1.1, 192.168.2.0 - 192.168.255.255?</p> Suricata - Bug #599: IP Rules Failing "not" matchinghttps://redmine.openinfosecfoundation.org/issues/599?journal_id=23932012-10-22T00:47:14ZVictor Julienvictor@inliniac.net
<ul></ul><p>Yeah sounds right.</p> Suricata - Bug #599: IP Rules Failing "not" matchinghttps://redmine.openinfosecfoundation.org/issues/599?journal_id=24022012-10-25T07:03:38ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul></ul><p>Should</p>
<p>[192.168.1.0/24, ![192.168.1.10 - 192.168.1.40], 192.168.1.20 - 192.168.1.30]</p>
<p>be</p>
<p>192.168.1.0-192.168.1.9,<br />192.168.1.20-192.168.1.30,<br />192.168.1.41-192.168.1.255</p>
<p>or</p>
<p>192.168.1.0-192.168.1.9<br />192.168.1.41-192.168.1.255</p>
<p>?</p> Suricata - Bug #599: IP Rules Failing "not" matchinghttps://redmine.openinfosecfoundation.org/issues/599?journal_id=25022012-11-14T12:08:56ZVictor Julienvictor@inliniac.net
<ul><li><strong>Target version</strong> changed from <i>1.4beta3</i> to <i>1.4rc1</i></li></ul> Suricata - Bug #599: IP Rules Failing "not" matchinghttps://redmine.openinfosecfoundation.org/issues/599?journal_id=25342012-11-26T12:14:21ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul><li><strong>% Done</strong> changed from <i>0</i> to <i>30</i></li></ul><p><a class="external" href="https://github.com/inliniac/suricata/pull/223">https://github.com/inliniac/suricata/pull/223</a></p>
<p>Temporary fix.</p> Suricata - Bug #599: IP Rules Failing "not" matchinghttps://redmine.openinfosecfoundation.org/issues/599?journal_id=25412012-11-27T03:02:14ZVictor Julienvictor@inliniac.net
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Closed</i></li><li><strong>Priority</strong> changed from <i>High</i> to <i>Normal</i></li><li><strong>% Done</strong> changed from <i>30</i> to <i>100</i></li></ul><p>Merged, thanks Anoop!</p> Suricata - Bug #599: IP Rules Failing "not" matchinghttps://redmine.openinfosecfoundation.org/issues/599?journal_id=25452012-11-27T03:41:14ZAnoop Saldanhaanoopsaldanha@gmail.com
<ul><li><strong>Priority</strong> changed from <i>Normal</i> to <i>High</i></li><li><strong>Target version</strong> changed from <i>1.4rc1</i> to <i>1.4beta3</i></li><li><strong>% Done</strong> changed from <i>100</i> to <i>0</i></li></ul><ul>
<li>Inspect the existence of this bug on 1.3x branch and fix if it exists.</li>
</ul> Suricata - Bug #599: IP Rules Failing "not" matchinghttps://redmine.openinfosecfoundation.org/issues/599?journal_id=25462012-11-27T06:39:03ZVictor Julienvictor@inliniac.net
<ul><li><strong>Priority</strong> changed from <i>High</i> to <i>Normal</i></li><li><strong>Target version</strong> changed from <i>1.4beta3</i> to <i>1.4rc1</i></li></ul><p>If the issue exists on 1.3.x as well, please open a ticket for 1.3.5.</p>