Project

General

Profile

Actions
Copy link

Bug #4880

open

hostbits/xbits: treat hostbits and xbits differently in the rule ordering stage

Added by zhenjun zhu almost 3 years ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

The description of hostbits and xbits in the latest document does not match the status quo.
https://suricata.readthedocs.io/en/latest/rules/xbits.html#xbits-keyword

alert ip any any -> any any (msg:"test xbits set fakehost"; xbits:set, fakehost, track ip_dst; sid:1;)
alert ip any any -> any any (msg:"test xbits isset set fakehost and set fakerservice"; xbits:isset, fakehost, track ip_dst; xbits:set, fakeservice, track ip_dst; sid:2;)
alert ip any any -> any any (msg:"test xbits isset set fakeservice"; xbits:isset, fakeservice, track ip_dst; sid:3;)
I can't get an alert triggered by the third rule.

alert ip any any -> any any (msg:"test hostbits set fakehost"; hostbits:set, fakehost, dst; sid:1;)
alert ip any any -> any any (msg:"test hostbits isset hostbits and set fakerservice"; hostbits:isset, fakehost, dst; hostbits:set, fakeservice, dst; sid:2;)
alert ip any any -> any any (msg:"test hostbits isset fakerservice"; hostbits:isset, fakeservice, dst; sid:3;)
I can get an alert triggered by the third rule.

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #1399: Flowbits rules not always evaluated in necessary orderAssignedVictor JulienActions
Actions
Copy link
 #2

Updated by Philippe Antoine 5 months ago

  • Related to Bug #1399: Flowbits rules not always evaluated in necessary order added
Actions
Copy link
 #3

Updated by Philippe Antoine 5 months ago

  • Target version set to TBD
Actions
Copy link
 #4

Updated by Philippe Antoine 4 months ago

  • Assignee set to OISF Dev
Actions
Copy link

Also available in: Atom PDF