Bug #4199
closedTransformation keyword can’t trigger an alert
Description
I test the transformation keyword url_decode by writing 2 rules. And I get an alert by only using rule2.
However, if I using rule1 and rule2 together, then no alert occurs.
rule1:
alert http any any -> $HOME_NET any (msg:"detecting (/etc/passwd)"; flow:to_server,established; http.request_body; content:"\\\etc\\\passwd")
rule2:
alert http any any -> $HOME_NET any (msg:"detecting (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"\\\etc\\\passwd")
I debug the detection part of the code and figuring out the workflow of transformation. If a rule file containing rule1 detecting a sticky buffer and rule2 detecting the sticky buffer after transformation, Suricata starts from inepecting the original sticky buffer. After this process, the sticky buffer would be flagged as "already inspected". So transformation can't be performed on this sticky buffer since it's already taken and inspected. Therefore, rule2 can't trigger any alert.
I wonder, if it's a BUG of transformation. I can't find any other useful information through the [documentation](https://suricata.readthedocs.io/en/suricata-6.0.0/rules/transforms.h).
Files
Updated by yixuan fang almost 4 years ago
I test the transformation keyword url_decode by writing 2 rules. And I get an alert by only using rule2.
However, if I using rule1 and rule2 together, then no alert occurs.
rule1:
alert http any any -> $HOME_NET any (msg:"detecting (/etc/passwd)"; flow:to_server,established; http.request_body; content:"\\etc\\passwd")
rule2:
alert http any any -> $HOME_NET any (msg:"detecting (/etc/passwd)"; flow:to_server,established; http.request_body; url_decode; content:"\\etc\\passwd")
I debug the detection part of the code and figuring out the workflow of transformation. If a rule file containing rule1 detecting a sticky buffer and rule2 detecting the sticky buffer after transformation, Suricata starts from inepecting the original sticky buffer. After this process, the sticky buffer would be flagged as "already inspected". So transformation can't be performed on this sticky buffer since it's already taken and inspected. Therefore, rule2 can't trigger any alert.
I wonder, if it's a BUG of transformation. I can't find any other useful information through the [documentation](https://suricata.readthedocs.io/en/suricata-6.0.0/rules/transforms.h).
Updated by Jeff Lucovsky almost 4 years ago
- File http-forum.pcap http-forum.pcap added
Attaching pcap provided on forum
Updated by Jeff Lucovsky almost 4 years ago
- Status changed from New to Assigned
- Assignee changed from Victor Julien to Jeff Lucovsky
- Target version set to 7.0.0-beta1
- Label Needs backport to 6.0 added
Updated by Victor Julien almost 4 years ago
- Has duplicate Bug #4210: Alert not generated with 2 rules - http.request body (alone) and http.request_body/url_decode added
Updated by Jeff Lucovsky almost 4 years ago
- Status changed from Assigned to In Review
Updated by Jeff Lucovsky over 3 years ago
- Copied to Bug #4311: Transformation keyword can’t trigger an alert added
Updated by Victor Julien over 3 years ago
- Assignee changed from Jeff Lucovsky to Victor Julien
Updated by Victor Julien over 3 years ago
- Status changed from In Review to Closed
- Priority changed from High to Normal