Bug #697
closedERRCODE: SC_ERR_PCRE_MATCH with IPv6 address/subnet with suppress rule
Description
Suppress rules like the following:
suppress gen_id 1, sig_id <id>, track by_dst, ip fe80::/16
fail with the following:
6/1/2013 -- 10:02:28 - <Error> - [ERRCODE: SC_ERR_PCRE_MATCH(2)] - pcre_exec parse error, ret -1, string , track by_dst, ip fe80::/16
This is because DETECT_SUPPRESS_REGEX is only valid for IPv4 addresses:
#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\d.:/]+)*\\s*$"
Adjusting this to the following seems to fix the issue:
#define DETECT_SUPPRESS_REGEX "^,\\s*track\\s*(by_dst|by_src)\\s*,\\s*ip\\s*([\\da-f.:/]+)*\\s*$"
I used '[\\da-f.:/]+'. Could also probably use '[[:xdigit:].:/]+' but OTOH I wasn't sure if that would allow A-F and how suricata would handle addresses with upper case if it did.
Files
Updated by Jamie Strandboge over 11 years ago
- File fix-ipv6-suppress.patch fix-ipv6-suppress.patch added
Here is a patch against 1.4 for the above.
Updated by Victor Julien over 11 years ago
The regex needs to handle the "case", so I think it should be A-Fa-f.
I prefer patches through github, care to do one?
Updated by Jamie Strandboge over 11 years ago
I submitted an updated patch using https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Contributing_to_Suricata. Not sure if it was required for a patch of this size, but I also signed the contributor agreement.
Updated by Jamie Strandboge over 11 years ago
I should've mentioned, I used 'git send-email --to oisf-devel@openinfosecfoundation.org ...' before I subscribed to oisf-devel@, so it may need to be moderated.
Updated by Victor Julien over 11 years ago
- Status changed from New to Closed
- Assignee set to Jamie Strandboge
- Target version set to 1.4.1
Merged into master and master-1.3.x, thanks a lot Jamie.
I did some minimal testing with suppress rules to confirm it works, which it does.