Actions
Bug #7873
openstream_size: no error with udp rule
Affected Versions:
Effort:
Difficulty:
Label:
Description
The combination of udp plus stream_size should error out.
For example this rule should not load and should throw an err:
alert udp any any -> any 53 (msg:"TEST1 ANOMALY UDP port 53 but not DNS"; flow:to_server; app-layer-protocol:!dns; stream_size:both, >, 5000; threshold: type both, track by_both, count 1, seconds 60; classtype:unknown; sid:1231; rev:1;)
Tested with :
suricata --build-info This is Suricata version 8.0.1-dev (49629f7cb 2025-08-22) Features: PCAP_SET_BUFF AF_PACKET HAVE_PACKET_FANOUT LIBCAP_NG LIBNET1.1 HAVE_HTP_URI_NORMALIZE_HOOK PCRE_JIT HAVE_NSS HTTP2_DECOMPRESSION HAVE_LUA HAVE_JA3 HAVE_JA4 HAVE_LIBJANSSON TLS TLS_C11 MAGIC RUST POPCNT64 SIMD support: SSE_4_2 SSE_4_1 SSE_3 SSE_2 Atomic intrinsics: 1 2 4 8 16 byte(s) 64-bits, Little-endian architecture GCC version 14.3.0, C version 201112 compiled with _FORTIFY_SOURCE=0 L1 cache line size (CLS)=64 thread local storage method: _Thread_local compiled with LibHTP v8.0.1-dev Suricata Configuration: AF_PACKET support: yes AF_XDP support: no DPDK support: no eBPF support: no XDP support: no PF_RING support: no NFQueue support: no NFLOG support: no IPFW support: no Netmap support: no DAG enabled: no Napatech enabled: no WinDivert enabled: no Npcap support: Unix socket enabled: yes Detection enabled: yes Libmagic support: yes libjansson support: yes hiredis support: no hiredis async with libevent: no PCRE jit: yes GeoIP2 support: yes JA3 support: yes JA4 support: yes Hyperscan support: yes Hwloc support: no Libnet support: yes liblz4 support: yes Landlock support: yes Systemd support: yes Rust strict mode: no Rust compiler path: /home/pevma/.cargo/bin/rustc Rust compiler version: rustc 1.85.1 (4eb161250 2025-03-15) Cargo path: /home/pevma/.cargo/bin/cargo Cargo version: cargo 1.85.1 (d73d2caf9 2024-12-31) Python support: yes Python path: /home/pevma/.pyenv/shims/python3 Install suricatactl: yes Install suricatasc: yes Install suricata-update: no, not bundled Profiling enabled: no Profiling locks enabled: no Profiling rules enabled: no Plugin support (experimental): yes DPDK Bond PMD: no Plugins: nDPI: no Development settings: Coccinelle / spatch: yes Unit tests enabled: no Debug output enabled: no Debug validation enabled: no Fuzz targets enabled: no Generic build parameters: Installation prefix: /opt/suritest-master Configuration directory: /opt/suritest-master/etc/suricata/ Log directory: /opt/suritest-master/var/log/suricata/ --prefix /opt/suritest-master --sysconfdir /opt/suritest-master/etc --localstatedir /opt/suritest-master/var --datarootdir /opt/suritest-master/share Host: x86_64-pc-linux-gnu Compiler: gcc (exec name) / g++ (real) GCC Protect enabled: no GCC march native enabled: yes GCC Profile enabled: no Position Independent Executable enabled: no CFLAGS -g -O2 -fPIC -DOS_LINUX -std=c11 -march=native PCAP_CFLAGS -I/usr/include/dbus-1.0 -I/usr/lib/x86_64-linux-gnu/dbus-1.0/include SECCFLAGS
Updated by Peter Manev 1 day ago
The bellow is a test that does not error with the rule above.
rm logs/* -rf ; suricata -S wip-3.rules -l logs --engine-analysis -T Notice: suricata: This is Suricata version 8.0.1-dev (49629f7cb 2025-08-22) running in USER mode [LogVersion:suricata.c:1208] Notice: mpm-hs: Rule group caching - loaded: 0 newly cached: 0 total cacheable: 0 [SCHSCacheRuleset:util-mpm-hs.c:852]
Updated by Victor Julien 1 day ago
- Subject changed from udp with stream_size does not err in rule inspection to stream_size: no error with udp rule
Is this an issue with 7.0.x as well?
Actions