Project

General

Profile

Actions
Copy link

Bug #167

closed

asn1 keyword needs to be able to support negative values for relative offsets.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Pablo Rincon
Target version:
0.9.2
Affected Versions:
Effort:
Difficulty:
Label:

Description

asn1 keyword needs to be able to support negative values for relative offsets. See sids 2578 and 2579 in the VRT exploit.rules for example usage. Below is the error given by suricata when trying to use a value of -1 i.e. move the cursor to be one byte previous to the last match.

[23964] 26/5/2010 -- 06:51:06 - (util-byte.c:167) <Error> (ByteExtractStringUint32) -- [ERRCODE: SC_ERR_NUMERIC_VALUE_ERANGE(59)] - Numeric value out of range (ffffffff != ffffffffffffffff)
[23964] 26/5/2010 -- 06:51:06 - (detect-asn1.c:250) <Error> (DetectAsn1Parse) -- [ERRCODE: SC_ERR_INVALID_VALUE(126)] - Malformed value for relative_offset: 1
[23964] 26/5/2010 - 06:51:06 - (detect.c:321) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "VRT RULE HERE" from file /etc/suricata/exploit.rules at line 90
[23964] 26/5/2010 -- 06:51:06 - (util-byte.c:167) <Error> (ByteExtractStringUint32) -- [ERRCODE: SC_ERR_NUMERIC_VALUE_ERANGE(59)] - Numeric value out of range (ffffffff != ffffffffffffffff)
[23964] 26/5/2010 -- 06:51:06 - (detect-asn1.c:250) <Error> (DetectAsn1Parse) -- [ERRCODE: SC_ERR_INVALID_VALUE(126)] - Malformed value for relative_offset: 1
[23964] 26/5/2010 - 06:51:06 - (detect.c:321) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(37)] - Error parsing signature "VRT RULE HERE" from file /etc/suricata/exploit.rules at line 91

Files

0001-Fixing-asn1-relative-offset-negative-values.patch (5.32 KB) 0001-Fixing-asn1-relative-offset-negative-values.patch support negative values for relative offsets at asn1 keyword Pablo Rincon, 06/01/2010 04:25 PM
Actions
Copy link

Also available in: Atom PDF