Project

General

Profile

Actions

Bug #6655

open

invalid distance/within does not produce an error

Added by Brandon Murphy 5 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Consider the following rules which contain an improperly formatted distance/within due to the inclusion of a comma instead of a semi-colon distance:4, within:5;

alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", CN="; distance:4, within:5; sid:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", O=inc, CN="; nocase; distance:4, within:12; sid:2;)

Current Behavior

Within Suricata 5.0.0 and 5.0.10 the following error is produced when loading these rules

2/1/2024 -- 16:37:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - invalid value for distance: 4, within:5
2/1/2024 -- 16:37:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", CN="; distance:4, within:5; sid:1;)" from file /tmp/5e9c56913ae8e295_Jan-02-2024_16-37-03/dalton-custom.rules at line 1
2/1/2024 -- 16:37:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - invalid value for distance: 4, within:12
2/1/2024 -- 16:37:03 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", O=inc, CN="; nocase; distance:4, within:12; sid:2;)" from file /tmp/5e9c56913ae8e295_Jan-02-2024_16-37-03/dalton-custom.rules at line 2

However, starting in Suricata 6.0.0 and continuing to git-master, no errors are produced and the rules are loaded.

There is a difference in behavior when these rules are loaded between suricata 6.0 and 7.0+

Suricata 6.0.0 and 6.0.15 do not produce any alerts, however Suricata 7.0 - git master do actually produce 2 alerts (one for each signature)

Expected Behavior

All versions of suricata should produce an error when attempting to load the rule and not load the invalid rules

Notes

This also appears to impact the within keyword as well as no error is produced in the following rules. Though there is a different alerting behavior as only sid:2 alerts, which is actually correct logic, despite the comma instead of semi-colon.

alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", CN="; distance:4; within:5, tls.cert_issuer; content:"C=US"; sid:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (flow:established,to_client; tls.cert_subject; content:"C=US, ST=Colorado, L=Aurora, streetAddress=, postalCode="; fast_pattern; content:", O=inc, CN="; nocase; distance:4; within:12, tls.cert_issuer; content:"C=US"; sid:2;)

pcap is attached to ease replication.


Files

30c5d3704711068.pcap (2.24 KB) 30c5d3704711068.pcap Brandon Murphy, 01/02/2024 05:43 PM
Actions #1

Updated by Brandon Murphy 5 months ago

  • Affected Versions 7.0.0, 6.0.15 added
Actions

Also available in: Atom PDF