Project

General

Profile

Actions

Bug #2626

closed

doc/err: More descriptive message on err for escaping backslash

Added by Peter Manev over 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

When backslash is used in "content" it needs to be escaped. If it is not though - there is no err message about what is wrong - just that the rule fails to load.
It would be helpful to have a descriptive msg about what needs to be improved/escaped in the rule.
The docs do not explicitly mention it needs escaping as a special character either - https://suricata.readthedocs.io/en/latest/rules/payload-keywords.html#content

sudo /opt/suricata-asan/bin/suricata -S unknown.rule  -T --engine-analysis -l log/ 
[17656] 24/9/2018 -- 22:42:17 - (suricata.c:1900) <Info> (ParseCommandLine) -- Running suricata under test mode
[17656] 24/9/2018 -- 22:42:17 - (suricata.c:1084) <Notice> (LogVersion) -- This is Suricata version 4.1.0-dev (rev 8c3f1aa7)
[17656] 24/9/2018 -- 22:42:17 - (detect-engine-loader.c:187) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Backslash needs escaping msg"; flow:established,to_server; content:"MyBackslash\here"; sid:86; rev:1; )" from file unknown.rule at line 1
[17656] 24/9/2018 -- 22:42:17 - (detect-engine-loader.c:346) <Warning> (SigLoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
[17656] 24/9/2018 -- 22:42:17 - (suricata.c:2439) <Error> (LoadSignatures) -- [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - Loading signatures failed.

cat unknown.rule 
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Backslash needs escaping msg"; flow:established,to_server; content:"MyBackslash\here"; sid:86; rev:1; )

The adjustments below help and the rule loads either way
content:"MyBackslash\\here";
content:"MyBackslash|5C|here";
Actions #1

Updated by Victor Julien almost 6 years ago

  • Status changed from New to Assigned
  • Assignee set to Travis Green
  • Target version set to 5.0beta1
Actions #2

Updated by Victor Julien over 5 years ago

  • Target version changed from 5.0beta1 to 5.0rc1
Actions #3

Updated by Victor Julien over 5 years ago

  • Assignee changed from Travis Green to Shivani Bhardwaj
Actions #4

Updated by Shivani Bhardwaj over 5 years ago

  • Status changed from Assigned to Feedback
Actions #5

Updated by Victor Julien over 5 years ago

  • Status changed from Feedback to Closed
Actions

Also available in: Atom PDF