Project

General

Profile

Actions

Feature #196

closed

Keywords for which we don't support fast_pattern as a modifer should accept the sig and warn.

Added by Will Metcalf over 14 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

"fast_pattern found inside the rule, without any preceding keywords"

The output above came from a fast_pattern modifier to a uricontent keyword. fast_pattern may not make sense or may not be possible for all keywords in suricata where it may make sense in snort. Since these are simply rule optimizations for snort, perhaps in cases such as this we should do the following..

1. Warn the user that the rule can not be optimized with fast_pattern; and the previous keyword they used.
2. Go ahead and parse the rule ignoring the fast_pattern modifier.


Files

0001-Load-signatures-with-incompatible-fast_pattern-optio.patch (3.26 KB) 0001-Load-signatures-with-incompatible-fast_pattern-optio.patch Now it continue loading and warn with a message of compatiblity. Pablo Rincon, 06/30/2010 07:05 AM
0002-Updating-the-http-modifers-that-cannot-be-loaded-wit.patch (2.95 KB) 0002-Updating-the-http-modifers-that-cannot-be-loaded-wit.patch Updating the http modifers that cannot be loaded with fast_pattern Pablo Rincon, 06/30/2010 07:37 AM
0003-Print-also-the-Signature-raw-string.patch (2 KB) 0003-Print-also-the-Signature-raw-string.patch Pablo Rincon, 06/30/2010 10:20 AM
0005-Updating-other-http-modifiers-for-sigs-with-fast_pat.patch (3.02 KB) 0005-Updating-other-http-modifiers-for-sigs-with-fast_pat.patch Updating other http modifiers for sigs with fast_pattern option Pablo Rincon, 07/01/2010 05:16 AM
Actions #1

Updated by Victor Julien over 14 years ago

  • Due date set to 07/05/2010
  • Assignee changed from Victor Julien to Pablo Rincon
  • Estimated time set to 4.00 h

Agreed. Let's do it like this.

Actions #2

Updated by Pablo Rincon over 14 years ago

I have attached a patch for this issue. Now it continue loading and warn with a message of compatiblity.

Actions #3

Updated by Pablo Rincon over 14 years ago

Updating the http modifers that cannot be loaded with fast_pattern. (It's an incremental patch).

Actions #4

Updated by Pablo Rincon over 14 years ago

Adding another patch that also print the signature raw string from the warning (as it now load the rule, it wasn't returning an error, and the complete sig was not displayed).

Actions #5

Updated by Will Metcalf over 14 years ago

regarding patch 0002 it appears as if we need to extend this behavior to http_client_body, http_header, and http_uri as well, based on what seems to be supported by snort.

Actions #6

Updated by Will Metcalf over 14 years ago

seems we have two failing unit tests as well now... These should be fixed prior to release.

Test DetectHttpCookieTest04 : [2746] 30/6/2010 -- 21:46:20 - (detect-http-cookie.c:228) <Warning> (DetectHttpCookieSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_cookie rule can not be used with the fast_pattern rule keyword. Unsetting fast_pattern on this modifier. Signature > alert icmp any any -> any any (msg:"Testing http_cookie"; content:"one"; fast_pattern; http_cookie; sid:1;)
FAILED

Test DetectHttpMethodTest04 : [2746] 30/6/2010 -- 21:46:20 - (detect-http-method.c:182) &lt;Warning&gt; (DetectHttpMethodSetup) -- [ERRCODE: SC_WARN_COMPATIBILITY(159)] - http_method cannot be used with "fast_pattern" currently.Unsetting fast_pattern on this modifier. Signature > alert tcp any any -> any any (msg:"Testing http_method"; content:"GET"; fast_pattern; http_method; sid:1;)
FAILED

Actions #8

Updated by Victor Julien over 14 years ago

  • Target version changed from 1.0.1 to 1.0.0
  • % Done changed from 0 to 100

All applied, thanks guys.

Actions #9

Updated by Victor Julien over 14 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF