Actions
Bug #2626
closeddoc/err: More descriptive message on err for escaping backslash
Affected Versions:
Effort:
Difficulty:
Label:
Description
When backslash is used in "content" it needs to be escaped. If it is not though - there is no err message about what is wrong - just that the rule fails to load.
It would be helpful to have a descriptive msg about what needs to be improved/escaped in the rule.
The docs do not explicitly mention it needs escaping as a special character either - https://suricata.readthedocs.io/en/latest/rules/payload-keywords.html#content
sudo /opt/suricata-asan/bin/suricata -S unknown.rule -T --engine-analysis -l log/ [17656] 24/9/2018 -- 22:42:17 - (suricata.c:1900) <Info> (ParseCommandLine) -- Running suricata under test mode [17656] 24/9/2018 -- 22:42:17 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 4.1.0-dev (rev 8c3f1aa7) [17656] 24/9/2018 -- 22:42:17 - (detect-engine-loader.c:187) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Backslash needs escaping msg"; flow:established,to_server; content:"MyBackslash\here"; sid:86; rev:1; )" from file unknown.rule at line 1 [17656] 24/9/2018 -- 22:42:17 - (detect-engine-loader.c:346) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all! [17656] 24/9/2018 -- 22:42:17 - (suricata.c:2439) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed. cat unknown.rule alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Backslash needs escaping msg"; flow:established,to_server; content:"MyBackslash\here"; sid:86; rev:1; )
The adjustments below help and the rule loads either way
content:"MyBackslash\\here"; content:"MyBackslash|5C|here";
Updated by Victor Julien over 5 years ago
- Status changed from New to Assigned
- Assignee set to Travis Green
- Target version set to 5.0beta1
Updated by Victor Julien over 5 years ago
- Target version changed from 5.0beta1 to 5.0rc1
Updated by Victor Julien over 5 years ago
- Assignee changed from Travis Green to Shivani Bhardwaj
Updated by Shivani Bhardwaj over 5 years ago
- Status changed from Assigned to Feedback
Updated by Victor Julien over 5 years ago
- Status changed from Feedback to Closed
Actions