Bug #1889: Suricata doesn't error on missing semicolon - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #1889

closed

Suricata doesn't error on missing semicolon

Added by Francis Trudeau about 8 years ago. Updated almost 8 years ago.

Status:

Closed

Priority:

High

Assignee:

Jason Ish

Target version:

3.1.3

Affected Versions:

Effort:

Difficulty:

Label:

Description

This rule:

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Nuclear EK SWF M2"; flow:established,from_server; content:"|20|inline|3b 20|filename="; http_header; fast_pattern:only; content:"Content-Type|3a 20|application/octet-stream|0d 0a|"; http_header; content:"Server|3a 20|nginx"; http_header; pcre:"/Content-Disposition\x3a\x20inline\x3b\x20filename=(?:[a-z0-9]{4})?\r\n/H"; file_data; content:"ZWS"; within:3; flowbits:set,et.Nuclear.Payload classtype:trojan-activity; sid:2020311; rev:9;)

Has a missing semicolon on the flowbit set up. The following versions don't error:

suricata-1.2.1
suricata-1.3.6
suricata-1.4.7
suricata-2.0.6
suricata 2.0.11
suricata 3.0.2
suricata 3.1.2

Local test output:

#suricata 3.1.2 test

This is Suricata version 3.1.2 RELEASE
13/9/2016 -- 09:12:40 - <Notice> - This is Suricata version 3.1.2 RELEASE
13/9/2016 -- 09:12:40 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
13/9/2016 -- 09:12:41 - <Notice> - Signal Received. Stopping engine.
13/9/2016 -- 09:12:41 - <Notice> - Pcap-file module read 6496 packets, 5486789 bytes

#suricata 3.0.2 test

This is Suricata version 3.0.2 RELEASE
13/9/2016 -- 09:12:41 - <Notice> - This is Suricata version 3.0.2 RELEASE
13/9/2016 -- 09:12:41 - <Notice> - all 1 packet processing threads, 4 management threads initialized, engine started.
13/9/2016 -- 09:12:41 - <Notice> - Signal Received. Stopping engine.
13/9/2016 -- 09:12:41 - <Notice> - Pcap-file module read 6496 packets, 5486789 bytes

#suricata 2.0.11 test

This is Suricata version 2.0.11 RELEASE
13/9/2016 -- 09:12:41 - <Notice> - This is Suricata version 2.0.11 RELEASE
13/9/2016 -- 09:12:41 - <Notice> - all 1 packet processing threads, 3 management threads initialized, engine started.
13/9/2016 -- 09:12:41 - <Notice> - Signal Received. Stopping engine.
13/9/2016 -- 09:12:41 - <Notice> - Pcap-file module read 6496 packets, 5486789 bytes

#suricata 1.4.7 test

This is Suricata version 1.4.7 RELEASE
13/9/2016 -- 09:12:41 - <Info> - This is Suricata version 1.4.7 RELEASE
13/9/2016 -- 09:12:41 - <Info> - CPUs/cores online: 4

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #1889

Suricata doesn't error on missing semicolon

Updated by Peter Manev about 8 years ago

Updated by Jason Ish about 8 years ago

Updated by Andreas Herz about 8 years ago

Updated by Victor Julien about 8 years ago

Updated by Francis Trudeau almost 8 years ago

Updated by Victor Julien almost 8 years ago

Updated by Jason Ish almost 8 years ago