Bug #1674: Cannot use 'tag:session' after base64_data keyword - Suricata - Open Information Security Foundation

Bug #1674

Updated by Victor Julien over 8 years ago

When setting tag:session *after* using a base64_data, Suricata complains. It works if you remove the tag:session, *or* move to before the base64_data key word. The position of tag:session should be irrelevant, as this is a post-detection rule option. 

 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"some b64thing"; flow:established,from_server; file_data; content:"sometext"; fast_pattern; base64_decode:relative; base64_data; content:"foobar"; nocase; tag:session,120,seconds; classtype:bad-unknown; sid:1111111; rev:1;) 

 <pre> 
 duane@testbox:~$ suricata -c /etc/suricata/suricata.yaml -S b64.rules -T 
 22/1/2016 -- 19:31:44 - <Info> - Running suricata under test mode 
 Initialization syslog logging with format "[%i] <%d> -- ". 
 22/1/2016 -- 19:31:44 - <Notice> - This is Suricata version 3.0RC2 RELEASE 
 22/1/2016 -- 19:31:44 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - Rule buffer cannot be reset after base64_data. 
 22/1/2016 -- 19:31:44 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"some b64thing"; flow:established,from_server; file_data; content:"sometext"; fast_pattern; base64_decode:relative; base64_data; content:"foobar"; nocase; tag:session,120,seconds; classtype:bad-unknown; sid:1111111; rev:1;)" from file b64.rules at line 1 
 ______________________________________________________________________ 

 </pre> 

 


 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"some b64thing"; flow:established,from_server; file_data; content:"sometext"; fast_pattern; base64_decode:relative; base64_data; content:"foobar"; nocase; classtype:bad-unknown; sid:1111111; rev:1;) 

 <pre> 
 duane@testbox:~$ suricata -c /etc/suricata/suricata.yaml -S b64.rules -T 
 22/1/2016 -- 19:32:05 - <Info> - Running suricata under test mode 
 Initialization syslog logging with format "[%i] <%d> -- ". 
 22/1/2016 -- 19:32:05 - <Notice> - This is Suricata version 3.0RC2 RELEASE 
 <snip> 
 22/1/2016 -- 19:32:05 - <Notice> - Configuration provided was successfully loaded. Exiting. 
 ______________________________________________________________________ 
 </pre> 


 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"some b64thing"; flow:established,from_server; file_data; content:"sometext"; fast_pattern; tag:session,120,seconds; base64_decode:relative; base64_data; content:"foobar"; nocase; classtype:bad-unknown; sid:1111111; rev:1;) 
 <pre> 

 duane@testbox:~$ suricata -c /etc/suricata/suricata.yaml -S b64.rules -T 
 duane@testbox:~$ sudo /usr/local/bin/suricata -c /etc/suricata/suricata.yaml -S b64.rules -T 
 22/1/2016 -- 19:40:41 - <Info> - Running suricata under test mode 
 Initialization syslog logging with format "[%i] <%d> -- ". 
 22/1/2016 -- 19:40:41 - <Notice> - This is Suricata version 3.0RC2 RELEASE 
 <snip> 
 22/1/2016 -- 19:40:41 - <Notice> - Configuration provided was successfully loaded. Exiting. 
 </pre>

Back

Project

General

Profile

Suricata

Bug #1674