Project

General

Profile

Actions

Bug #8

closed

engine fails to match when fast_pattern rule is inspecting the same payload as a non-fast_pattern rule

Added by Will Metcalf about 15 years ago. Updated about 15 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Example the signature with sid: 498 should fire when visiting http://www.testmyids.com but fails when sid: 12757 is enabled as it contains a fast_pattern modified match and is inspecting the same payload as sid: 498. This worked previous to commit 6ca5dbc9e93d5af306a48ca86ee7bd67b8fbfade. I have attached a patch with a unittest showing this behavior. Please include it when you submit a patch that addresses the issue.

example rules:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Quicktime uncompressed PICT stack overflow attempt"; flow:to_client,established; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|"; distance:0; fast_pattern; content:"|82 01|"; distance:0; byte_test:4,<,50,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26344; reference:cve,2007-4672; classtype:attempted-user; sid:12757; rev:2;)

alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:bad-unknown; sid:498; rev:7;)


Files

0001-failing-unit-test-where-fast_pattern-rule-and-non-fa.patch (3.35 KB) 0001-failing-unit-test-where-fast_pattern-rule-and-non-fa.patch unit test patch against 746d12071e68dd0bbd2f5f4e0823b9f401e61e16 Will Metcalf, 11/12/2009 11:14 AM
0001-Bug-fix-for-fast_pattern-bug-8.patch (2.81 KB) 0001-Bug-fix-for-fast_pattern-bug-8.patch Anoop Saldanha, 11/13/2009 04:26 AM
Actions #1

Updated by Anoop Saldanha about 15 years ago

Have attached a fix against 746d12071e68dd0bbd2f5f4e0823b9f401e61e16.

Actions #2

Updated by Victor Julien about 15 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Patches for unittest and fix are applied, thanks Anoop and Will.

Actions

Also available in: Atom PDF