Bug #25: Negated Port/Address strings parsed incorrectly - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #25

closed

Negated Port/Address strings parsed incorrectly

Added by Anoop Saldanha almost 15 years ago. Updated almost 15 years ago.

Status:

Closed

Priority:

Normal

Assignee:

OISF Dev

Target version:

Affected Versions:

Effort:

Difficulty:

Label:

Description

A port or address string which is negated more than once is parsed incorrectly. For example a port string of

80] should be parsed 80. The same applies for addresses too.

The functions DetectPortParseDo() and DetectAddressParse2() while handling negated values, don't take into account the negated(!) count with depth. This can be handled by incrementing and decrementing a count for the ! symbol on parsing the port and address and passing this value recursively to the above function. A mod 2 of this count indicates it's not negated, else it's negated.

Files

0001-double-port-address-negation-is-parsed-incorrectly.patch (1.24 KB) 0001-double-port-address-negation-is-parsed-incorrectly.patch

Anoop Saldanha, 12/27/2009 11:23 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #25

Negated Port/Address strings parsed incorrectly

Updated by Victor Julien almost 15 years ago

Updated by Victor Julien almost 15 years ago