Actions
Bug #6834
closediprep: rule with '=,0' can't match
Affected Versions:
Effort:
low
Difficulty:
Label:
Description
Looking at this rule:
alert tcp any any -> any any (msg:"src not in iprep list";sid:1;iprep:src,myCategory,=,0;)
Suricata accepts it, giving me the impression that if a packet arrives with a src IP not in the referenced iprep list, it will match this rule.
However, if you look at this code, we actually never call the match method, unless the ip reputation score is > 0.
if (val > 0) { return DetectU8Match(val, &rd->du8); } break;
therefore, even if I want my alert rule to match on that condition, the rule never gets evaluated.
I'd call this a bug, as Suricata accepts '=,0' as valid arguments. It should honor the intent of the rule, or reject it at startup. As this is valid use case, e.g. alert on IPs not on a list of known sources, I'd prefer we implement the behavior rather than reject the rule.
Updated by Victor Julien 8 months ago
- Assignee changed from OISF Dev to Victor Julien
Updated by Victor Julien 8 months ago
- Subject changed from Rule with iprep keyword never matches when used with '=,0' to iprep: rule with '=,0' can't match
Updated by Victor Julien 8 months ago
- Related to Feature #6857: iprep: support seeing if rule is part of a rep list added
Updated by Victor Julien 7 months ago
- Status changed from New to In Progress
- Target version changed from TBD to 8.0.0-beta1
- Label Needs backport to 7.0 added
Updated by Victor Julien 7 months ago
- Status changed from In Progress to In Review
Updated by Victor Julien 7 months ago
- Status changed from In Review to Resolved
Actions