Project

General

Profile

Actions
Copy link

Bug #1889

closed

Suricata doesn't error on missing semicolon

Added by Francis Trudeau about 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
High
Assignee:
Jason Ish
Target version:
3.1.3
Affected Versions:
Effort:
Difficulty:
Label:

Description

This rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern:only; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload classtype:trojan-activity; sid:2020311; rev:9;)

Has a missing semicolon on the flowbit set up. The following versions don't error:

suricata-1.2.1
suricata-1.3.6
suricata-1.4.7
suricata-2.0.6
suricata 2.0.11
suricata 3.0.2
suricata 3.1.2

Local test output:

#suricata 3.1.2 test

This is Suricata version 3.1.2 RELEASE
13/9/2016 -- 09:12:40 - <Notice> - This is Suricata version 3.1.2 RELEASE
13/9/2016 -- 09:12:40 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
13/9/2016 -- 09:12:41 - <Notice> - Signal Received. Stopping engine.
13/9/2016 -- 09:12:41 - <Notice> - Pcap-file module read 6496 packets, 5486789 bytes

#suricata 3.0.2 test

This is Suricata version 3.0.2 RELEASE
13/9/2016 -- 09:12:41 - <Notice> - This is Suricata version 3.0.2 RELEASE
13/9/2016 -- 09:12:41 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
13/9/2016 -- 09:12:41 - <Notice> - Signal Received. Stopping engine.
13/9/2016 -- 09:12:41 - <Notice> - Pcap-file module read 6496 packets, 5486789 bytes

#suricata 2.0.11 test

This is Suricata version 2.0.11 RELEASE
13/9/2016 -- 09:12:41 - <Notice> - This is Suricata version 2.0.11 RELEASE
13/9/2016 -- 09:12:41 - <Notice> - all 1 packet processing threads, 3 management threads initialized, engine started.
13/9/2016 -- 09:12:41 - <Notice> - Signal Received. Stopping engine.
13/9/2016 -- 09:12:41 - <Notice> - Pcap-file module read 6496 packets, 5486789 bytes

#suricata 1.4.7 test

This is Suricata version 1.4.7 RELEASE
13/9/2016 -- 09:12:41 - <Info> - This is Suricata version 1.4.7 RELEASE
13/9/2016 -- 09:12:41 - <Info> - CPUs/cores online: 4

Actions
Copy link
 #1

Updated by Peter Manev about 8 years ago

I can confirm the same (does not err out/complain) with the latest git too - 3.1dev (rev ae11687)

Actions
Copy link
 #2

Updated by Jason Ish about 8 years ago

  • Assignee set to Jason Ish
Actions
Copy link
 #3

Updated by Andreas Herz about 8 years ago

  • Target version set to TBD
Actions
Copy link
 #4

Updated by Victor Julien about 8 years ago

  • Status changed from New to Closed
  • Target version changed from TBD to 3.1.3
Actions
Copy link
 #5

Updated by Francis Trudeau almost 8 years ago

This rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET semicolon test"; flow:established,to_server; content:"Microsoft Office|20|"; http_header; depth:17 classtype:trojan-activity; sid:3031; rev:1;

Does not error on missing semicolon in 3.1.3 or latest git (bbb93e4):

testids/suricata-3.1.3/src/suricata c /etc/suricata/suricata.2.custom.yaml -r test.pcap
23/11/2016 - 16:24:33 - <Notice> - This is Suricata version 3.1.3 RELEASE
23/11/2016 -- 16:24:33 - <Warning> - [ERRCODE: SC_ERR_CONF_YAML_ERROR(242)] - Please use 'tls-store' in YAML to configure TLS storage
23/11/2016 -- 16:24:33 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
23/11/2016 -- 16:24:33 - <Notice> - Signal Received. Stopping engine.
23/11/2016 -- 16:24:33 - <Notice> - Pcap-file module read 379 packets, 316082 bytes

testids/suricata-git//src/suricata c /etc/suricata/suricata.3.2.custom.yaml -r test.pcap
[13247] 23/11/2016 - 16:27:34 - (suricata.c:1007) <Notice> (SCPrintVersion) -- This is Suricata version 3.2dev (rev bbb93e4)
[13261] 23/11/2016 -- 16:27:34 - (log-pcap.c:680) <Notice> (PcapLogInitRingBuffer) -- Ring buffer initialized with 3 files.
[13247] 23/11/2016 -- 16:27:34 - (tm-threads.c:2098) <Notice> (TmThreadWaitOnThreadInit) -- all 1 packet processing threads, 4 management threads initialized, engine started.
[13247] 23/11/2016 -- 16:27:34 - (suricata.c:2630) <Notice> (main) -- Signal Received. Stopping engine.
[13261] 23/11/2016 -- 16:27:34 - (source-pcap-file.c:388) <Notice> (ReceivePcapFileThreadExitStats) -- Pcap-file module read 379 packets, 316082 bytes

Actions
Copy link
 #6

Updated by Victor Julien almost 8 years ago

@Jason Borden, lets address this in a new ticket.

Actions
Copy link
 #7

Updated by Jason Ish almost 8 years ago

Victor Julien wrote:

@Jason Borden, lets address this in a new ticket.

See https://redmine.openinfosecfoundation.org/issues/1961

Actions
Copy link

Also available in: Atom PDF