Bug #7638: detect: incorrect rule ordering with more complex flowbit chains - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community

Actions

Copy link

Bug #7638

open

detect: incorrect rule ordering with more complex flowbit chains

Added by Victor Julien 6 months ago. Updated 19 days ago.

Status:

In Review

Priority:

High

Assignee:

Shivani Bhardwaj

Target version:

9.0.0-beta1

Affected Versions:

8.0.0

Effort:

Difficulty:

high

Label:

Description

alert http any any -> any any (http.uri; content:"down"; flowbits:set,uritest; sid:11;)
alert http any any -> any any (http.user_agent; content:"Mozilla"; flowbits:isset, headtest; flowbits:set,moz; sid:10;)
alert http any any -> any any (http.method; content:"GET"; flowbits:isset,uritest; flowbits:set,headtest; sid:12;)
alert http any any -> any any (http.host; content:"ether"; flowbits:isset,moz; sid:14;)

should be ordered: 11, 12, 10, 14. Is actually ordered: 11, 10, 12, 14. This is because in the ordering there just 3 cases:
set, read, read_set. Sid 10 and 12 are both read_set, and thus correct order isn't enforced.

Subtasks 6 (6 open — 0 closed)

Bug #7771: flowbits: cyclic dependencies in flowbits are accepted by the engine	In Review	Shivani Bhardwaj	Actions
Bug #7772: flowbits: no-op set and isset combinations are accepted	In Review	Shivani Bhardwaj	Actions
Bug #7773: flowbits: no-op unset + isnotset combinations are accepted	In Review	Shivani Bhardwaj	Actions
Bug #7774: flowbits: invalid set + toggle combinations are accepted	In Review	Shivani Bhardwaj	Actions
Bug #7817: flowbits: invalid isset and isnotset combinations are accepted	In Review	Shivani Bhardwaj	Actions
Bug #7818: flowbits: invalid set and unset combinations are accepted	In Review	Shivani Bhardwaj	Actions

Related issues 1 (1 open — 0 closed)

Related to Suricata - Bug #1399: Flowbits rules not always evaluated in necessary order

Assigned

Victor Julien

Actions

Issue # Delay: days Cancel

History
Notes
Property changes

Actions

Copy link

Updated by Victor Julien 6 months ago

SV test https://github.com/OISF/suricata-verify/pull/2397

Actions

Copy link

Updated by Shivani Bhardwaj 4 months ago

Status changed from Assigned to In Progress
Difficulty set to medium

Actions

Copy link

Updated by Shivani Bhardwaj 3 months ago

Target version changed from 8.0.0-rc1 to 8.0.0

This turned out to be more than just choosing and applying a correct sorting order. Isolating this problem was not a good idea.

Actions

Copy link

Updated by Shivani Bhardwaj 3 months ago

Priority changed from Normal to High
Target version changed from 8.0.0 to 8.0.0-rc1
Difficulty changed from medium to high

I think I am more confident now that this is actually indeed a boolean satisfiability problem. These class of problems are unsolvable in polynomial time for more than 2 conditions. A demo for 2-SAT problem is given here: https://www.geeksforgeeks.org/2-satisfiability-2-sat-problem/

Note that we can always run into "unsatisfiable" data paths. For example, the engine accepts the following complex flowbit chains but there's no way to determine the correct order for these as there isn't one:

alert http any any -> any any (http.user_agent; content:"Mozilla"; flowbits:isset, headtest; flowbits:set,moz; sid:10;) alert http any any -> any any (http.method; content:"GET"; flowbits:set,headtest; flowbits:isset,moz; sid:12;)

So, what we can do is:
1. Apply some restrictions to reduce the number of checks. e.g. cyclic dependencies like in the above mentioned example must be disallowed resulting in errors/commenting of all rules involved.
2. Create a cycle free many to many relationship internal table. i.e. b/w signatures and flowbits.

I'm currently working on listing out the possible restrictions that could/should be applied and what should the relationship table look like.

Actions

Copy link

Updated by Shivani Bhardwaj 3 months ago

Target version changed from 8.0.0-rc1 to 8.0.0

Actions

Copy link

Updated by Victor Julien 3 months ago · Edited

Target version changed from 8.0.0 to 9.0.0-beta1

I think it makes sense to start with banning cyclical dependencies, as they can't be satisfied at runtime anyway. Perhaps we should create subtickets for the distinct steps.

Actions

Copy link