Project

General

Profile

Actions

Bug #7361

open

rules: unknown internal events not being detected as errors

Added by Jason Ish about 2 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

For example, we have these DNS engine rules:

alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;)
alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;)

The problem is that dns.not_a_request and dns.not_a_response are not valid, as they are actually dns.not_request and dns.not_response. We have a few more as well that are now detected in Suricata git-master:

Warning: detect-app-layer-event: app-layer-event keyword's protocol "dns" doesn't have event "not_a_request" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262]
Warning: detect-app-layer-event: app-layer-event keyword's protocol "dns" doesn't have event "not_a_response" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262]
Warning: detect-app-layer-event: app-layer-event keyword's protocol "http2" doesn't have event "invalid_http1_settings" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262]
Warning: detect-app-layer-event: app-layer-event keyword's protocol "ike" doesn't have event "weak_crypto_nodh" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262]
Warning: detect-app-layer-event: app-layer-event keyword's protocol "ike" doesn't have event "weak_crypto_noauth" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262]
Warning: detect-app-layer-event: app-layer-event keyword's protocol "modbus" doesn't have event "invalid_unit_identifier" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262]

The code in master was fixed as part of a cleanup in PR: https://github.com/OISF/suricata/pull/12019, so just event names need to be synced.

7 needs the return type fixed, and event names fixed.


Subtasks 1 (0 open1 closed)

Bug #7362: rules: unknown internal events not being detected as errors (7.0.x backport)ClosedJason IshActions
Actions #1

Updated by Jason Ish about 2 months ago

  • Description updated (diff)
Actions #2

Updated by Jason Ish about 2 months ago

  • Description updated (diff)
Actions #3

Updated by Jason Ish about 2 months ago

  • Status changed from In Progress to In Review
Actions #4

Updated by Jason Ish about 2 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions #5

Updated by OISF Ticketbot about 2 months ago

  • Subtask #7362 added
Actions #6

Updated by OISF Ticketbot about 2 months ago

  • Label deleted (Needs backport to 7.0)
Actions #7

Updated by Jason Ish about 2 months ago

  • Status changed from In Review to Resolved
Actions

Also available in: Atom PDF