Bug #8158: ssl_version keyword negation (!) not working (7.0.x backport) - Suricata - Open Information Security Foundation

Custom queries

8.0.0 Stories
Good First Issues
OISF community
Open Doc tasks

Actions

Copy link

Bug #8158

closed

Bug #3220: ssl_version keyword negation (!) not working

ssl_version keyword negation (!) not working (7.0.x backport)

Added by OISF Ticketbot 7 days ago. Updated 6 days ago.

Status:

Closed

Priority:

Normal

Assignee:

OISF Dev

Target version:

7.0.14

Affected Versions:

Effort:

Difficulty:

Label:

History
Notes
Property changes

Actions

Copy link

Updated by Philippe Antoine 7 days ago

Assignee changed from Philippe Antoine to OISF Dev

I do not think this needs to be backported to 7 : nothing critical, an undocumented feature never worked, and this is just syntax sugar, not adding more expressivity to the rules language

Actions

Copy link

Updated by Jason Ish 7 days ago

Philippe Antoine wrote in #note-1:

I do not think this needs to be backported to 7 : nothing critical, an undocumented feature never worked, and this is just syntax sugar, not adding more expressivity to the rules language

How does it fail. Does 7.0 silently accept the negation leading the user to think that it should work? Then a backport is fine.

Or does it error out as an invalid rule? Then probably not, its more of a feature then.

Actions

Copy link

Updated by Philippe Antoine 7 days ago

How does it fail. Does 7.0 silently accept the negation leading the user to think that it should work?

yes

There are other cases where we use the opposite rule like https://redmine.openinfosecfoundation.org/issues/8010
Suricata8 silently accepts fragbits:M+D; leading the user to think that it should work, but it does not : it is handled as just M with trailing garbage ignored, and we do not want to backport it as existing ruleset will fail to load

Actions

Copy link