Actions
Bug #5242
closedBug #5220: fast_pattern specification in base64_data shouldn't be allowed
fast_pattern specification in base64_data shouldn't be allowed (6.0.x backport)
Status:
Rejected
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
It seems that specifying a fast_pattern in base64_data is ignored both from an error/warning standpoint and from an actual fast_pattern assignment by suricata. It seems suricata should warn/fail on fast_pattern assignment in base64_data.
rule example:
alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;)
suricata.log:
[52155] 29/3/2022 -- 20:20:41 - (detect-engine-loader.c:354) <Info> (SigLoadSignatures) -- 1 rule files processed. 1 rules successfully loaded, 0 rules failed
rules_fast_pattern.log:
== Sid: 123 == alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"POST"; http.request_body; base64_decode:bytes 28; base64_data; content:"something"; fast_pattern; classtype:bad-unknown; sid:123; rev:1;) Fast Pattern analysis: Fast pattern matcher: http request method (http_method) Flags: None Fast pattern set: no Fast pattern only set: no Fast pattern chop set: no Original content: POST Final content: POST
suricata version:
This is Suricata version 7.0.0-dev (99b344336 2022-03-25)
Actions