Project

General

Profile

Actions

Bug #5929

closed

fast_pattern assignment of specific content in combination with urilen results in FN

Added by Brandon Murphy almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Consider the following rules and the attached pcap

alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; urilen:<70; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.uri; bsize:<70; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:2;)
alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; urilen:<70; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; sid:3;)
alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:4;)

Only sid:2, sid:3 and sid:4 fire on git-master (Suricata 7.0.0-rc2-dev (416a780f6 2023-03-17)) and 6.0.10.

sid:2 is a good workaround, however, it lacks whatever optimization that urilen has to make it effect checks (see https://redmine.openinfosecfoundation.org/issues/4226#note-3)

see https://redmine.openinfosecfoundation.org/issues/5197 for a simliar issue


Files

1e3b98e5dad2954.pcap (467 Bytes) 1e3b98e5dad2954.pcap Brandon Murphy, 03/22/2023 08:05 PM

Subtasks 1 (0 open1 closed)

Bug #5948: fast_pattern assignment of specific content in combination with urilen results in FN (6.0.x backport)ClosedVictor JulienActions

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #5931: http2: urilen not supportedClosedVictor JulienActions
Actions

Also available in: Atom PDF