Actions
Security #7195
closeddatasets: rule with unset makes suricata abort
Git IDs:
e47598110a557bb9f87ea498d85ba91a45bb0cb6
Severity:
HIGH
Disclosure Date:
Description
Running SV datasets-03-set test with added rule
diff --git a/tests/datasets-03-set/test.rules b/tests/datasets-03-set/test.rules
index 1d99df9d..327c774a 100644
--- a/tests/datasets-03-set/test.rules
+++ b/tests/datasets-03-set/test.rules
@@ -1 +1,2 @@
alert dns any any -> any any (dns.query; dataset:set,dns-seen, type string; sid:1;)
+alert dns any any -> any any (dns.query; content: "example"; dataset:unset,dns-seen, type string; sid:2;)
triggers the abort in DetectDatasetBufferMatch
because we get DETECT_DATASET_CMD_UNSET
Updated by Philippe Antoine 5 months ago
- Related to Bug #5576: Dataset is setting data despite the signature being a complete match added
Updated by Philippe Antoine 4 months ago
unset support in datasets was half-done.
A fix can be implementing the missing support
Another fix can be to reject such rules for now
Updated by Victor Julien 3 months ago
- Severity changed from MODERATE to HIGH
HIGH as it requires a bad rule, but then it aborts in defined way.
Updated by Juliana Fajardini Reichow 3 months ago
- CVE set to 2024-45795
Updated by Philippe Antoine 3 months ago
- Status changed from In Review to Resolved
Updated by Philippe Antoine 3 months ago
Still SV test to merge before closing https://github.com/OISF/suricata-verify/pull/2065
Updated by Philippe Antoine 2 months ago
- Status changed from Resolved to Closed
Actions