Bug #202
closedrelative pcre not implemented
Added by Anoop Saldanha over 14 years ago. Updated over 14 years ago.
Description
pcre relative matching hasn't been implemented. For example if we have
"This is a super duper nova in super nova"
and
pcre:/super/; content:nova; within:5;
the sig should fire.
Files
| 0001-pcre-recursive-matching-not-implemented.patch (1.53 KB) 0001-pcre-recursive-matching-not-implemented.patch | Anoop Saldanha, 07/05/2010 08:46 AM | ||
| 0001-implement-pcre-relative-matching-in-detect-engine-pa.patch (8.77 KB) 0001-implement-pcre-relative-matching-in-detect-engine-pa.patch | Anoop Saldanha, 07/05/2010 12:49 PM | ||
| supernova.pcap (656 Bytes) supernova.pcap | This is a super duper nova in super nova | Will Metcalf, 07/19/2010 12:22 PM |
Updated by Anoop Saldanha over 14 years ago
- Assignee changed from OISF Dev to Anoop Saldanha
Updated by Victor Julien over 14 years ago
- Due date set to 07/06/2010
- Target version set to 1.0.1
- Estimated time set to 4.00 h
Updated by Anoop Saldanha over 14 years ago
- File 0001-implement-pcre-relative-matching-in-detect-engine-pa.patch 0001-implement-pcre-relative-matching-in-detect-engine-pa.patch added
attached patch.
Updated by Victor Julien over 14 years ago
Two questions:
Why did you move all the pcre logic to detect-engine-payload.c?
What is "punt_matching"?
Updated by Anoop Saldanha over 14 years ago
What is "punt_matching"?
Assuming we have 2 content based keywords which are relative, where the first one is either a pcre or content, and the second one is a pcre.
Let's assume the first keyword gives a match and we start with the second keyword now, relative to the first match. If the second keyword fails to give a match and it isn't negated, we return a 0. Now the previous keyword would start iterations for finding new matches now from it's match_offset + 1, but the fact is if I don't get a match with pcre, we'll never get a match get a match anywhere else, in which I just set a punt_matching = 1, to avoid any further iterations for new matches by the older keywords.
Two questions:
Why did you move all the pcre logic to detect-engine-payload.c?
I need to pass not just ov1, but ov0 as well, from a pcre match. Also I would have to recreate the if/else logic from the payload_function again in the payload.c file, to set the punt_matching flag.
Updated by Will Metcalf over 14 years ago
- File supernova.pcap supernova.pcap added
- Status changed from New to Closed
- % Done changed from 0 to 100
tested. works.
alert tcp any any -> any any (msg:"duplicate string test bug 202 test1"; pcre:"/super/"; content:"nova"; within:5; sid:7777;)
alert tcp any any -> any any (msg:"duplicate string test bug 202 test2"; content:"super"; content:"nova"; within:5; sid:7778;)
src/suricata -c suricata.yaml -l ./ -s blah.rules -r /home/coz/supernova.pcap
...
cat fast.log
07/19/10-18:11:17.250364 [**] [1:7778:0] duplicate string test bug 202 test2 [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:59517 -> 192.168.2.138:55555
07/19/10-18:11:17.250364 [**] [1:7777:0] duplicate string test bug 202 test1 [**] [Classification: (null)] [Priority: 3] {6} 192.168.2.3:59517 -> 192.168.2.138:55555
Updated by Victor Julien over 14 years ago
- Estimated time changed from 4.00 h to 7.00 h