Actions
Bug #5201
closedcontent:"22 2 22"; is parsed without error
Affected Versions:
Effort:
Difficulty:
Label:
Needs backport to 5.0, Needs backport to 6.0
Description
This should probably cause suricata to freak out. It was a rule bug in 2035512 and according to @bmurphy even snort throws an error on this.
Updated by Brandon Murphy almost 3 years ago
Given the following rule:
alert tcp any any -> any any (msg:"test"; content:"|22 2 22|"; sid:1;)
Based on the fast_pattern analysis, Suricata appears to accept this incorrect hex content and actually skips the invalid byte.
== Sid: 1 == alert tcp any any -> any any (msg:"test"; content:"|22 2 22|"; sid:1;) Fast Pattern analysis: Fast pattern matcher: content Flags: None Fast pattern set: no Fast pattern only set: no Fast pattern chop set: no Original content: \x22\x22 Final content: \x22\x22
For comparison sake, snort throws the following fatal error
Initializing rule chains... ERROR: /tmp/test.rules Content hexmode argument has invalid number of hex digits. The argument '|22 2 22|' must contain a full even byte string. Fatal Error, Quitting..
Ideally we can get at least a warning generated on this condition?
Updated by Jason Ish almost 3 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jason Ish
- Target version changed from TBD to 7.0.0-beta1
- Affected Versions 6.0.4 added
Assigning to me, I fixed this while taking a closer look. Will do a PR tomorrow.
Updated by Jason Ish almost 3 years ago
- Status changed from Assigned to In Review
Updated by Jason Ish almost 3 years ago
- Label Needs backport to 5.0, Needs backport to 6.0 added
Updated by Jeff Lucovsky almost 3 years ago
- Copied to Bug #5212: content:"22 2 22"; is parsed without error added
Updated by Jeff Lucovsky almost 3 years ago
- Copied to Bug #5213: content:"22 2 22"; is parsed without error added
Updated by Victor Julien over 2 years ago
- Status changed from In Review to Closed
Actions