Bug #451
closedUnable to identify root cause of error parsing a rule when a long 'Source or Destination address list excedd' the maximum size of the buffer available.
Description
When I write a rule with a lot of IPv4 address in the source or destination field I get an error on parsing it and in response suricata don't give useful information to identify the root cause of the problem.
The error message response is bellow and attached there is the rule, so anyone can check that a ']' is not missing and the problem is the ' BIG LIST of IPv4 ADDRESS' :>
19/4/2012 -- 10:43:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - not every address block was properly closed in "[ BIG LIST of IPv4 ADDRESS ]", 1 missing closing brackets (]). Note: problem might be in a variable.
19/4/2012 -- 10:43:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert ip [ BIG LIST of IPv4 ADDRESS ] any <> any any (msg:"IP blacklist APT"; reference:url,boos.core-dumped.info; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:12345600; rev:2;)" from file /etc/suricata/rules/ip-apt.rules at line 3
Files
Updated by Peter Manev over 12 years ago
Hi ,
Just double checked with Suricata version 1.3dev (rev 61d5fe3), with the ip-apt.rules file provided.
I can confirm the problem.
If the IPs are 89 and below (count, 89 ip addresses ), there is no issues, as soon as they are 90 and above , we get the aforementioned rule failing to load with wrong err msg.
thanks
Updated by Victor Julien over 12 years ago
- Priority changed from Low to Normal
- Target version changed from 1.2.1 to 1.3beta2
- Estimated time set to 4.00 h
Updated by Anoop Saldanha over 12 years ago
- File 0001-bug-451-fix-for-parsing-address.-Increase-buffer-siz.patch 0001-bug-451-fix-for-parsing-address.-Increase-buffer-siz.patch added
- Status changed from New to Resolved
fix attached.
Updated by Victor Julien over 12 years ago
I think this fix is missing a meaningful error for when the address size limit is reached. Increasing the size certainly limits the possibility of this happening (esp since where is a total rule limit as well). Expansion of vars still allows for overrunning this limit I think, so an error is needed.
Updated by Anoop Saldanha over 12 years ago
- File 0002-Add-a-nice-error-message-when-we-exceeded-address-bu.patch 0002-Add-a-nice-error-message-when-we-exceeded-address-bu.patch added
yeah. Added a nice error message now.
Updated by Victor Julien over 12 years ago
- Status changed from Resolved to Closed
Both applied, thanks Anoop!