Project

General

Profile

Actions

Security #7195

closed

datasets: rule with unset makes suricata abort

Added by Philippe Antoine 5 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

e47598110a557bb9f87ea498d85ba91a45bb0cb6

Severity:
HIGH
Disclosure Date:

Description

Running SV datasets-03-set test with added rule

diff --git a/tests/datasets-03-set/test.rules b/tests/datasets-03-set/test.rules
index 1d99df9d..327c774a 100644
--- a/tests/datasets-03-set/test.rules
+++ b/tests/datasets-03-set/test.rules
@@ -1 +1,2 @@
 alert dns any any -> any any (dns.query; dataset:set,dns-seen, type string; sid:1;)
+alert dns any any -> any any (dns.query; content: "example"; dataset:unset,dns-seen, type string; sid:2;)

triggers the abort in DetectDatasetBufferMatch because we get DETECT_DATASET_CMD_UNSET


Subtasks 1 (0 open1 closed)

Security #7196: datasets: rule with unset makes suricata abort (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #5576: Dataset is setting data despite the signature being a complete matchIn ReviewPhilippe AntoineActions
Actions #1

Updated by Philippe Antoine 5 months ago

  • Related to Bug #5576: Dataset is setting data despite the signature being a complete match added
Actions #2

Updated by OISF Ticketbot 5 months ago

  • Subtask #7196 added
Actions #3

Updated by OISF Ticketbot 5 months ago

  • Label deleted (Needs backport to 7.0)
Actions #4

Updated by Philippe Antoine 5 months ago

  • Status changed from New to In Review

Gitlab MR

Actions #5

Updated by Philippe Antoine 4 months ago

unset support in datasets was half-done.

A fix can be implementing the missing support

Another fix can be to reject such rules for now

Actions #6

Updated by Victor Julien 3 months ago

  • Severity changed from MODERATE to HIGH

HIGH as it requires a bad rule, but then it aborts in defined way.

Actions #8

Updated by Philippe Antoine 3 months ago

  • Status changed from In Review to Resolved
Actions #9

Updated by Philippe Antoine 3 months ago

Still SV test to merge before closing https://github.com/OISF/suricata-verify/pull/2065

Actions #10

Updated by Philippe Antoine 3 months ago

  • Git IDs updated (diff)
Actions #11

Updated by Victor Julien 2 months ago

  • Private changed from Yes to No
Actions #12

Updated by Philippe Antoine 2 months ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF