Actions
Bug #6834
closed
RH
VJ
iprep: rule with '=,0' can't match
Bug #6834:
iprep: rule with '=,0' can't match
Description
Looking at this rule:
alert tcp any any -> any any (msg:"src not in iprep list";sid:1;iprep:src,myCategory,=,0;)
Suricata accepts it, giving me the impression that if a packet arrives with a src IP not in the referenced iprep list, it will match this rule.
However, if you look at this code, we actually never call the match method, unless the ip reputation score is > 0.
if (val > 0) {
return DetectU8Match(val, &rd->du8);
}
break;
therefore, even if I want my alert rule to match on that condition, the rule never gets evaluated.
I'd call this a bug, as Suricata accepts '=,0' as valid arguments. It should honor the intent of the rule, or reject it at startup. As this is valid use case, e.g. alert on IPs not on a list of known sources, I'd prefer we implement the behavior rather than reject the rule.
VJ Updated by Victor Julien about 2 years ago
- Assignee changed from OISF Dev to Victor Julien
VJ Updated by Victor Julien about 2 years ago
- Subject changed from Rule with iprep keyword never matches when used with '=,0' to iprep: rule with '=,0' can't match
VJ Updated by Victor Julien about 2 years ago
- Related to Feature #6857: iprep: support seeing if rule is part of a rep list added
VJ Updated by Victor Julien almost 2 years ago
- Status changed from New to In Progress
- Target version changed from TBD to 8.0.0-beta1
- Label Needs backport to 7.0 added
OT Updated by OISF Ticketbot almost 2 years ago
- Subtask #6986 added
OT Updated by OISF Ticketbot almost 2 years ago
- Label deleted (
Needs backport to 7.0)
VJ Updated by Victor Julien almost 2 years ago
- Status changed from In Progress to In Review
VJ Updated by Victor Julien almost 2 years ago
- Status changed from In Review to Resolved
PA Updated by Philippe Antoine almost 2 years ago
- Status changed from Resolved to Closed
Actions