Bug #202
closedrelative pcre not implemented
Description
pcre relative matching hasn't been implemented. For example if we have
"This is a super duper nova in super nova"
and
pcre:/super/; content:nova; within:5;
the sig should fire.
Files
Updated by Anoop Saldanha over 14 years ago
- Assignee changed from OISF Dev to Anoop Saldanha
Updated by Victor Julien over 14 years ago
- Due date set to 07/06/2010
- Target version set to 1.0.1
- Estimated time set to 4.00 h
Updated by Anoop Saldanha over 14 years ago
- File 0001-implement-pcre-relative-matching-in-detect-engine-pa.patch 0001-implement-pcre-relative-matching-in-detect-engine-pa.patch added
attached patch.
Updated by Victor Julien over 14 years ago
Two questions:
Why did you move all the pcre logic to detect-engine-payload.c?
What is "punt_matching"?
Updated by Anoop Saldanha over 14 years ago
What is "punt_matching"?
Assuming we have 2 content based keywords which are relative, where the first one is either a pcre or content, and the second one is a pcre.
Let's assume the first keyword gives a match and we start with the second keyword now, relative to the first match. If the second keyword fails to give a match and it isn't negated, we return a 0. Now the previous keyword would start iterations for finding new matches now from it's match_offset + 1, but the fact is if I don't get a match with pcre, we'll never get a match get a match anywhere else, in which I just set a punt_matching = 1, to avoid any further iterations for new matches by the older keywords.
Two questions:
Why did you move all the pcre logic to detect-engine-payload.c?
I need to pass not just ov1, but ov0 as well, from a pcre match. Also I would have to recreate the if/else logic from the payload_function again in the payload.c file, to set the punt_matching flag.
Updated by Will Metcalf over 14 years ago
- File supernova.pcap supernova.pcap added
- Status changed from New to Closed
- % Done changed from 0 to 100
tested. works.
alert tcp any any -> any any (msg:"duplicate string test bug 202 test1"; pcre:"/super/"; content:"nova"; within:5; sid:7777;)
alert tcp any any -> any any (msg:"duplicate string test bug 202 test2"; content:"super"; content:"nova"; within:5; sid:7778;)
src/suricata -c suricata.yaml -l ./ -s blah.rules -r /home/coz/supernova.pcap
...
cat fast.log
07/19/10-18:11:17.250364 [**] [1:7778:0] duplicate string test bug 202 test2 [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:59517 -> 192.168.2.138:55555
07/19/10-18:11:17.250364 [**] [1:7777:0] duplicate string test bug 202 test1 [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:59517 -> 192.168.2.138:55555
Updated by Victor Julien over 14 years ago
- Estimated time changed from 4.00 h to 7.00 h