Project

General

Profile

Actions

Bug #6859

closed

Bug #5220: fast_pattern specification in base64_data shouldn't be allowed

fast_pattern specification in base64_data shouldn't be allowed (7.0.x backport)

Added by OISF Ticketbot 9 months ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:
Actions #1

Updated by Shivani Bhardwaj 9 months ago

  • Target version changed from 7.0.4 to 7.0.5
Actions #2

Updated by Victor Julien 9 months ago

I wonder how we should handle the backport. We can't starting rejecting these rules, as they still work fine.

Actions #3

Updated by Shivani Bhardwaj 9 months ago

Victor Julien wrote in #note-2:

I wonder how we should handle the backport. We can't starting rejecting these rules, as they still work fine.

Leave a warning that using fast_pattern w base64_data has no effect so is useless and will be rejected in 8..?

Actions #4

Updated by Victor Julien 9 months ago

Shivani Bhardwaj wrote in #note-3:

Victor Julien wrote in #note-2:

I wonder how we should handle the backport. We can't starting rejecting these rules, as they still work fine.

Leave a warning that using fast_pattern w base64_data has no effect so is useless and will be rejected in 8..?

We've seen that new warnings are often seen as too "severe" by integrators. So perhaps we should just give an info/notice message and accept the rule. Could also add a note or warning to the rule analyzer perhaps.

Actions #5

Updated by Shivani Bhardwaj 9 months ago

> We've seen that new warnings are often seen as too "severe" by integrators. So perhaps we should just give an info/notice message and accept the rule. Could also add a note or warning to the rule analyzer perhaps.

I see. Ok. Do you mean that we should accept it with info message even on 8? So, I should change the behavior in the PR https://github.com/OISF/suricata/pull/10641?

Actions #6

Updated by Victor Julien 9 months ago

No, in 8 we can be strict. Just don't want to introduce errors/warnings for otherwise fairly harmless issues in a patch release.

Actions #7

Updated by Shivani Bhardwaj 9 months ago

Victor Julien wrote in #note-6:

No, in 8 we can be strict. Just don't want to introduce errors/warnings for otherwise fairly harmless issues in a patch release.

Got it. Will implement solution for 7.0.5 as discussed. Thank you!

Actions #8

Updated by Shivani Bhardwaj 9 months ago

  • Status changed from Assigned to In Review
Actions #9

Updated by Shivani Bhardwaj 8 months ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF