Bug #167: asn1 keyword needs to be able to support negative values for relative offsets. - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #167

closed

asn1 keyword needs to be able to support negative values for relative offsets.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Pablo Rincon

Target version:

0.9.2

Affected Versions:

Effort:

Difficulty:

Label:

Description

asn1 keyword needs to be able to support negative values for relative offsets. See sids 2578 and 2579 in the VRT exploit.rules for example usage. Below is the error given by suricata when trying to use a value of -1 i.e. move the cursor to be one byte previous to the last match.

[23964] 26/5/2010 -- 06:51:06 - (util-byte.c:167) <Error> (ByteExtractStringUint32) -- [ERRCODE: SC_ERR_NUMERIC_VALUE_ERANGE(59)] - Numeric value out of range (ffffffff != ffffffffffffffff)
[23964] 26/5/2010 -- 06:51:06 - (detect-asn1.c:250) <Error> (DetectAsn1Parse) -- [ERRCODE: SC_ERR_INVALID_VALUE(126)] - Malformed value for relative_offset: 1
[23964] 26/5/2010 - 06:51:06 - (detect.c:321) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "VRT RULE HERE" from file /etc/suricata/exploit.rules at line 90
[23964] 26/5/2010 -- 06:51:06 - (util-byte.c:167) <Error> (ByteExtractStringUint32) -- [ERRCODE: SC_ERR_NUMERIC_VALUE_ERANGE(59)] - Numeric value out of range (ffffffff != ffffffffffffffff)
[23964] 26/5/2010 -- 06:51:06 - (detect-asn1.c:250) <Error> (DetectAsn1Parse) -- [ERRCODE: SC_ERR_INVALID_VALUE(126)] - Malformed value for relative_offset: 1
[23964] 26/5/2010 - 06:51:06 - (detect.c:321) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "VRT RULE HERE" from file /etc/suricata/exploit.rules at line 91

Files

0001-Fixing-asn1-relative-offset-negative-values.patch (5.32 KB) 0001-Fixing-asn1-relative-offset-negative-values.patch

support negative values for relative offsets at asn1 keyword

Pablo Rincon, 06/01/2010 04:25 PM

Actions

Copy link

Updated by Victor Julien over 14 years ago

Due date changed from 06/10/2010 to 06/04/2010
Assignee changed from OISF Dev to Pablo Rincon

Actions

Copy link

Updated by Pablo Rincon over 14 years ago

File 0001-Fixing-asn1-relative-offset-negative-values.patch 0001-Fixing-asn1-relative-offset-negative-values.patch added
Status changed from New to Assigned

Hi, after reviewing snorts code, it seems that only the relative offset value will take effect with a negative value. It seems that a negative value for absolute offsets doesn't make sense, because it will always be out of bounds. So I implemented it only for relative values, ignoring the definition at the documentation regarding to negative values for absolute offsets.

Actions

Copy link