Actions
Bug #5220
closedfast_pattern specification in base64_data shouldn't be allowed
Affected Versions:
Effort:
Difficulty:
Label:
Description
It seems that specifying a fast_pattern in base64_data is ignored both from an error/warning standpoint and from an actual fast_pattern assignment by suricata. It seems suricata should warn/fail on fast_pattern assignment in base64_data.
rule example:
alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
suricata.log:
[52155] 29/3/2022 -- 20:20:41 - (detect-engine-loader.c:354) <Info> (SigLoadSignatures) -- 1 rule files processed. 1 rules successfully loaded, 0 rules failed
rules_fast_pattern.log:
== Sid: 123 ==
alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
Fast Pattern analysis:
Fast pattern matcher: http request method (http_method)
Flags: None
Fast pattern set: no
Fast pattern only set: no
Fast pattern chop set: no
Original content: POST
Final content: POST
suricata version:
This is Suricata version 7.0.0-dev (99b344336 2022-03-25)
Actions