Bug #3190
closedfile_data inspection inhibited by additional (non-file_data) content match rule
Description
Following this fix: https://github.com/OISF/suricata/pull/4211/commits/d4bc46038133a26ac0010ef64c865746f95814c7,file_data
base64
mail attachment content inspection started working (see #2395)
on the sample pcap here: https://redmine.openinfosecfoundation.org/attachments/1560
when this single relevant example rule was present: https://redmine.openinfosecfoundation.org/attachments/1748
The problem is that, when a second content-matching rule is also present, as in: https://redmine.openinfosecfoundation.org/attachments/1793,
the file_data
rule no longer fires (both rules should generate alerts on the sample pcap file)!
Opening new bug since
1. I don't know whether this is the same underlying root cause as #2395 itself, and
2. my redmine account apparently doesn't have the power to re-open a closed bug :)
Updated by Victor Julien over 5 years ago
- Related to Bug #2395: File_data inspection depth while inspecting base64 decoded data added
Updated by Victor Julien over 5 years ago
- Affected Versions deleted (
4.0beta1)
It would be good to have a suricata-verify test for this case as well.
Updated by Gabriel Somlo over 5 years ago
Turns out, my redmine account also doesn't have the power to fix the "affected version" field which should be '5.0rc', i.e., "the latest, greatest, and shiniest currently available". Apologies for that mistake!
Updated by Gabriel Somlo over 5 years ago
@Victor: hope this does it: https://github.com/OISF/suricata-verify/pull/130
Updated by Andreas Herz over 5 years ago
- Assignee set to Gabriel Somlo
- Target version set to 5.0.0
- Affected Versions 5.0beta1 added
Updated by Victor Julien over 5 years ago
- Related to Bug #2522: The cross-effects of rules on each other, without the use of flowbits. added
Updated by Victor Julien over 5 years ago
- Assignee changed from Gabriel Somlo to Victor Julien
I've done a bit of investigating and it seems this is the same issue as #2522, but then for SMTP. This makes sense, as the fix was only implemented for HTTP.
Updated by Victor Julien over 5 years ago
- Affected Versions 5.0rc1 added
- Affected Versions deleted (
5.0beta1)
Updated by Victor Julien about 5 years ago
- Status changed from Assigned to Closed