Project

General

Profile

Actions

Bug #1826

open

Feature #4855: rules: refactor rule parsing into multi-stage parser

Rule validation bug with fast_pattern:only and specified buffers

Added by David Wharton over 8 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Relative keywords cannot be used around a "fast_pattern:only" context and the Suricata rule validation checks for this. However, there are cases where this validation doesn't recognize that the relative keywords apply to a particular buffer (e.g. "http_*") and are not invalid. Take this rule for example:

alert http any any -> any any (msg:"Rule validation issue - ERROR"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; distance:3; http_uri; sid:1234;)

It will produce the following error:
<Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content

But if you move the "http_*" modifier to before the distance/within modifier(s), it works:
alert http any any -> any any (msg:"Rule validation issue - NO_ERROR"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; http_uri; distance:3; sid:1234;)

The issue is with rule validation only and doesn't affect detection.


Files

whatever.pcap (574 Bytes) whatever.pcap test for relative byte_test after fast_pattern:only David Wharton, 07/06/2016 09:24 AM

Related issues 2 (2 open0 closed)

Related to Suricata - Bug #1926: rule parsing: wrong content checked for fast_pattern (snort compatibility)NewOISF DevActions
Related to Suricata - Bug #2205: Buffer confusion with fast_pattern:only;AssignedVictor JulienActions
Actions

Also available in: Atom PDF