Project

General

Profile

Actions
Copy link

Bug #1042

closed

Can't match "emailAddress" field in tls.subject and tls.issuerdn

Added by Chris Wakelin about 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Victor Julien
Target version:
2.0beta2
Affected Versions:
Effort:
Difficulty:
Label:

Description

This rule:

alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"RDG possible Upatre Downloader SSL certificate emailAddress"; flow:established,from_server; tls.subject:"emailAddress=ds@ds.fds"; classtype:trojan-activity; sid:380000002; rev:1;)

fails with "(detect-tls.c:269) <Error> (DetectTlsSubjectParse) -- [ERRCODE: SC_ERR_PCRE_MATCH(2)] - invalid tls.subject option" in suricata.log.

It seems the rule parser is disallowing the "@" character.

I've tried modifying src/detect-tls.c :

--- src/detect-tls.c.orig       2013-11-19 10:39:24.651883765 +0000
+++ src/detect-tls.c    2013-11-20 00:37:41.791132862 +0000
@@ -64,8 +64,8 @@
  * \brief Regex for parsing "id" option, matching number or "number" 
  */

-#define PARSE_REGEX  "^\\s*(\\!*)\\s*([A-z0-9\\s\\-\\.=,\\*]+|\"[A-z0-9\\s\\-\\.=,\\*]+\")\\s*$" 
-#define PARSE_REGEX_FINGERPRINT  "^\\s*(\\!*)\\s*([A-z0-9\\:\\*]+|\"[A-z0-9\\:\\* ]+\")\\s*$" 
+#define PARSE_REGEX  "^\\s*(\\!*)\\s*([A-z0-9\\s\\-\\.=,\\*\\@]+|\"[A-z0-9\\s\\-\\.=,\\*\\@]+\")\\s*$" 
+#define PARSE_REGEX_FINGERPRINT  "^\\s*(\\!*)\\s*([A-z0-9\\:\\*\\@]+|\"[A-z0-9\\:\\* \\@]+\")\\s*$" 

 static pcre *subject_parse_regex;
 static pcre_extra *subject_parse_regex_study;

which appears to solve the problem, but I'm not sure whether it was necessary to modify all the character classes in those regular expressions.

Actions
Copy link

Also available in: Atom PDF