Consider the following rules which contain an improperly formatted distance/within due to the inclusion of a comma instead of a semi-colon distance:4, within:5;

alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", CN="; distance:4, within:5; sid:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", O=inc, CN="; nocase; distance:4, within:12; sid:2;)

Current Behavior¶

Within Suricata 5.0.0 and 5.0.10 the following error is produced when loading these rules

2/1/2024 -- 16:37:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - invalid value for distance: 4, within:5
2/1/2024 -- 16:37:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", CN="; distance:4, within:5; sid:1;)" from file /tmp/5e9c56913ae8e295_Jan-02-2024_16-37-03/dalton-custom.rules at line 1
2/1/2024 -- 16:37:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - invalid value for distance: 4, within:12
2/1/2024 -- 16:37:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", O=inc, CN="; nocase; distance:4, within:12; sid:2;)" from file /tmp/5e9c56913ae8e295_Jan-02-2024_16-37-03/dalton-custom.rules at line 2

However, starting in Suricata 6.0.0 and continuing to git-master, no errors are produced and the rules are loaded.

There is a difference in behavior when these rules are loaded between suricata 6.0 and 7.0+

Suricata 6.0.0 and 6.0.15 do not produce any alerts, however Suricata 7.0 - git master do actually produce 2 alerts (one for each signature)

Expected Behavior¶

All versions of suricata should produce an error when attempting to load the rule and not load the invalid rules

Notes¶

This also appears to impact the within keyword as well as no error is produced in the following rules. Though there is a different alerting behavior as only sid:2 alerts, which is actually correct logic, despite the comma instead of semi-colon.

alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", CN="; distance:4; within:5, tls.cert_issuer; content:"C=US"; sid:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", O=inc, CN="; nocase; distance:4; within:12, tls.cert_issuer; content:"C=US"; sid:2;)

pcap is attached to ease replication.