Project

General

Profile

Actions
Copy link

Bug #8010

open

fragbits: failure to parse existing rules

Added by Victor Julien 3 days ago. Updated 2 days ago.

Status:
Assigned
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
9.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Oct 22 02:11:34 c2758 suricata[325876]: Error: uint: Bitflag unexpected value + [suricata::detect::uint::parse_flag_list:uint.rs:366]
Oct 22 02:11:34 c2758 suricata[325876]: Error: detect: error parsing signature "alert ip any any -> any any (msg:"POSSBL SCAN FRAG (NMAP -f)"; fragbits:M+D; threshold:type limit, track by_src, count 3, seconds 1210; classtype:attempted-recon; sid:3400006; priority:2; rev:6;)" from file /var/lib/suricata/rules/suricata.rules at line 22802 [DetectLoadSigFile:detect-engine-loader.c:197]
Oct 22 02:11:34 c2758 suricata[325876]: Error: uint: Bitflag unexpected value + [suricata::detect::uint::parse_flag_list:uint.rs:366]
Oct 22 02:11:34 c2758 suricata[325876]: Error: detect: error parsing signature "alert ip any any -> any any (msg:"POSSBL SCAN FRAG (NMAP -f)"; fragbits:M+D; threshold:type limit, track by_src, count 3, seconds 1210; classtype:attempted-recon; sid:3400006; priority:2; rev:6;)" from file /var/lib/suricata/rules/suricata.rules at line 22802 [DetectLoadSigFile:detect-engine-loader.c:197]

Should probably create some more SV parsing jobs for rulesets we list in our index.

Actions
Copy link
 #1

Updated by Victor Julien 3 days ago

Btw I feel the error message is a bit terse too. Should probably include the input it was trying to parse, as well as the keyword name?

Actions
Copy link
 #2

Updated by Philippe Antoine 2 days ago

Note that this rule fragbits:M+D; is interpreted in 8 like fragbits:M; and what comes next is just garbage, so probably not the rule writer's intention

Actions
Copy link

Also available in: Atom PDF