Bug #6418
open
detect/parse: rule parser error uses outdated buffer
Added by Juliana Fajardini Reichow over 1 year ago.
Updated 11 days ago.
Description
The engine parse error for `http.uri` lack of content match (because it should come after, not before still mentions `http_uri`.
This is especially misleading because our documentation clearly states that the usage of `http_uri` requires `content` to come before.
Cf https://docs.suricata.io/en/latest/rules/http-keywords.html#http-uri-and-http-uri-raw
This task should also include updating the documentation to indicate that the syntax for `http.uri` differs from `http_uri`.
Error:
Error: [...] rule [...] setup buffer http_uri but didn't add matches to it [SigValidate:detect-parse.c:1933]
Error: detect: error parsing signature "alert http any any -> any any (msg:"Check http.uri"; content:"/images.gif"; http.uri; sid:3;)" from file test.rules at line 3 [DetectLoadSigFile:detect-engine-loader.c:180]
Error: suricata: Loading signatures failed. [LoadSignatures:suricata.c:2416]
- Copied from Bug #5177: detect/analyzer: rule analyzer warns about http buffers usage added
- Assignee changed from Juliana Fajardini Reichow to OISF Dev
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
- Subject changed from detect/engine-analyzer: rule parser error uses outdated buffer to engine/analysis: rule parser error uses outdated buffer
- Subject changed from engine/analysis: rule parser error uses outdated buffer to detect/parse: rule parser error uses outdated buffer
I think that's caused because we register the http.uri buffer id with the name http_uri, and thus that's what is shown in the error message.
- Related to Task #4707: detect: unify internal buffer names to use <proto>.<buffer> naming added
I think there is no problem here : buffers are not the same as keywords...
Philippe Antoine wrote in #note-8:
I think there is no problem here : buffers are not the same as keywords...
Ok, but for a rule like:
alert http any any -> any any (msg:"HTTP Request Example new buffer, wrong content placement"; flow:established,to_server; content:"/index.html"; http.uri; sid:27; rev:1;)
Should we get an error like:
Error: detect-parse: rule 27 setup buffer http_uri but didn't add matches to it [SigValidate:detect-parse.c:2501] ?
Ok, but for a rule like:
alert http any any -> any any (msg:"HTTP Request Example new buffer, wrong content placement"; flow:established,to_server; content:"/index.html"; http.uri; sid:27; rev:1;)
Should we get an error like:
Error: detect-parse: rule 27 setup buffer http_uri but didn't add matches to it [SigValidate:detect-parse.c:2501] ?
For me, it makes sense
I see your point that it can be confusing, but I do not see a simple fix for 8rc1
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1
Also available in: Atom
PDF