Project

General

Profile

Actions

Bug #1329

closed

Invalid rule being processed and loaded.

Added by Duane Howard about 10 years ago. Updated about 10 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I noticed by setting the protocol after 'alert' to some invalid option the rule 'loads' successfully.

For example if I take:
alert tcp $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET TROJAN IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:12;)

and turn it into:
alert this_isnt_a_protocol $HOME_NET any -> $EXTERNAL_NET !6666:7000 (msg:"ET TROJAN IRC Channel JOIN on non-standard port"; flow:to_server,established; dsize:<64; content:"JOIN "; nocase; depth:5; pcre:"/&|#|\+|!/R"; reference:url,doc.emergingthreats.net/bin/view/Main/2000348; classtype:trojan-activity; sid:2000348; rev:12;) ....

The rule appears to load and no error is thrown.

This was tested on 2.0.4 and on 2.1

Actions

Also available in: Atom PDF