Project

General

Profile

Actions

Bug #6894

open

bsize validation FP on content negation with hex encoded 0d 0a

Added by Brandon Murphy 8 months ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

consider the following rule, which contains

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TEST"; flow:established,to_server; http.header_names; bsize:10; content:!"|0d 0a|User-Agent|0d 0a|"; content:"|0d 0a|Host|0d 0a 0d 0a|"; sid:1;)
[129 - Suricata-Main] 2024-03-24 22:40:11 Error: detect-bsize: signature can't match as required content length 14 exceeds bsize value: 10
[129 - Suricata-Main] 2024-03-24 22:40:11 Error: detect: error parsing signature "alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TEST"; flow:established,to_server; http.header_names; bsize:10; content:!"|0d 0a|User-Agent|0d 0a|"; content:"|0d 0a|Host|0d 0a 0d 0a|"; sid:1;)" from file /tmp/49c7c31b54ecbe71_Mar-24-2024_22-40-11/dalton-custom.rules at line 1

I've been able to isolate the issue to the hex encoded values within the content negation.

if you remove one of the |0d 0a| within content:!"|0d 0a|User-Agent|0d 0a|"; the error produced reports a required length of 12.


Related issues 1 (1 open0 closed)

Related to Suricata - Feature #4226: bsize: apply as depth to patternsAssignedJeff LucovskyActions
Actions

Also available in: Atom PDF