Project

General

Profile

Actions

Bug #1329

closed

Invalid rule being processed and loaded.

Added by Duane Howard about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I noticed by setting the protocol after 'alert' to some invalid option the rule 'loads' successfully.

For example if I take:
alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET TROJAN IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:12;)

and turn it into:
alert this_isnt_a_protocol $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET TROJAN IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:12;) ....

The rule appears to load and no error is thrown.

This was tested on 2.0.4 and on 2.1

Actions #1

Updated by Victor Julien about 10 years ago

  • Target version set to 2.0.5
Actions #2

Updated by Duane Howard about 10 years ago

Sorry for the delay again on testing, been swamped. Looks like it's working to me... =)

[3452] 9/12/2014 -- 15:45:00 - (detect-parse.c:611) <Error> (SigParseProto) -- [ERRCODE: SC_ERR_UNKNOWN_PROTOCOL(124)] - protocol "this_isnt_a_protocol" cannot be used in a signature. Either detection for this protocol supported yet OR detection has been disabled for protocol through the yaml option app-layer.protocols.this_isnt_a_protocol.detection-enabled

[3452] 9/12/2014 -- 15:45:00 - (detect.c:357) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert this_isnt_a_protocol $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET TROJAN IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:12;)" from file /etc/suricata/rules/empty.rules at line 5

Actions #3

Updated by Victor Julien about 10 years ago

  • Status changed from New to Closed
  • Assignee set to Victor Julien
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF