Project

General

Profile

Actions

Security #7195

closed

datasets: rule with unset makes suricata abort

Added by Philippe Antoine 5 months ago. Updated 2 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:

e47598110a557bb9f87ea498d85ba91a45bb0cb6

Severity:
HIGH
Disclosure Date:

Description

Running SV datasets-03-set test with added rule

diff --git a/tests/datasets-03-set/test.rules b/tests/datasets-03-set/test.rules
index 1d99df9d..327c774a 100644
--- a/tests/datasets-03-set/test.rules
+++ b/tests/datasets-03-set/test.rules
@@ -1 +1,2 @@
 alert dns any any -> any any (dns.query; dataset:set,dns-seen, type string; sid:1;)
+alert dns any any -> any any (dns.query; content: "example"; dataset:unset,dns-seen, type string; sid:2;)

triggers the abort in DetectDatasetBufferMatch because we get DETECT_DATASET_CMD_UNSET


Subtasks 1 (0 open1 closed)

Security #7196: datasets: rule with unset makes suricata abort (7.0.x backport)ClosedPhilippe AntoineActions

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #5576: Dataset is setting data despite the signature being a complete matchIn ReviewPhilippe AntoineActions
Actions

Also available in: Atom PDF