Bug #8
closedengine fails to match when fast_pattern rule is inspecting the same payload as a non-fast_pattern rule
Description
Example the signature with sid: 498 should fire when visiting http://www.testmyids.com but fails when sid: 12757 is enabled as it contains a fast_pattern modified match and is inspecting the same payload as sid: 498. This worked previous to commit 6ca5dbc9e93d5af306a48ca86ee7bd67b8fbfade. I have attached a patch with a unittest showing this behavior. Please include it when you submit a patch that addresses the issue.
example rules:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Apple Quicktime uncompressed PICT stack overflow attempt"; flow:to_client,established; content:"|00 00 00 00 00 00 00 00 00 00|"; content:"|00 11 02 FF|"; distance:0; fast_pattern; content:"|82 01|"; distance:0; byte_test:4,<,50,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,26344; reference:cve,2007-4672; classtype:attempted-user; sid:12757; rev:2;)
alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; metadata:policy balanced-ips drop, policy security-ips drop; classtype:bad-unknown; sid:498; rev:7;)
Files
Updated by Anoop Saldanha about 15 years ago
Have attached a fix against 746d12071e68dd0bbd2f5f4e0823b9f401e61e16.
Updated by Victor Julien about 15 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Patches for unittest and fix are applied, thanks Anoop and Will.