Actions
Bug #7361
openrules: unknown internal events not being detected as errors
Affected Versions:
Effort:
Difficulty:
Label:
Description
For example, we have these DNS engine rules:
alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;) alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;)
The problem is that dns.not_a_request
and dns.not_a_response
are not valid, as they are actually dns.not_request
and dns.not_response
. We have a few more as well that are now detected in Suricata git-master:
Warning: detect-app-layer-event: app-layer-event keyword's protocol "dns" doesn't have event "not_a_request" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262] Warning: detect-app-layer-event: app-layer-event keyword's protocol "dns" doesn't have event "not_a_response" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262] Warning: detect-app-layer-event: app-layer-event keyword's protocol "http2" doesn't have event "invalid_http1_settings" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262] Warning: detect-app-layer-event: app-layer-event keyword's protocol "ike" doesn't have event "weak_crypto_nodh" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262] Warning: detect-app-layer-event: app-layer-event keyword's protocol "ike" doesn't have event "weak_crypto_noauth" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262] Warning: detect-app-layer-event: app-layer-event keyword's protocol "modbus" doesn't have event "invalid_unit_identifier" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262]
The code in master was fixed as part of a cleanup in PR: https://github.com/OISF/suricata/pull/12019, so just event names need to be synced.
7 needs the return type fixed, and event names fixed.
Updated by Jason Ish about 2 months ago
- Status changed from In Progress to In Review
Updated by Jason Ish about 2 months ago
- Target version changed from TBD to 8.0.0-beta1
Updated by OISF Ticketbot about 2 months ago
- Label deleted (
Needs backport to 7.0)
Updated by Jason Ish about 2 months ago
- Status changed from In Review to Resolved
Actions