Bug #599
closedIP Rules Failing "not" matching
Description
Given a HOME_NET of 10.0.0.0/8, and the following rules:
alert ip any any -> any any (msg:"IP Match Test 1"; classtype:misc-activity; sid:2012101101;)
alert ip 10.0.0.0/8 any -> any any (msg:"IP Match Test 2"; classtype:misc-activity; sid:2012101102;)
alert ip any any -> 10.0.0.0/8 any (msg:"IP Match Test 3"; classtype:misc-activity; sid:2012101103;)
alert ip 10.0.0.0/8 any -> 10.0.0.0/8 any (msg:"IP Match Test 4"; classtype:misc-activity; sid:2012101104;)
alert ip !192.168.0.0/16 any -> any any (msg:"IP Match Test 5"; classtype:misc-activity; sid:2012101105;)
alert ip ![192.168.0.0/16] any -> any any (msg:"IP Match Test 6"; classtype:misc-activity; sid:2012101106;)
alert ip any any -> !192.168.0.0/16 any (msg:"IP Match Test 7"; classtype:misc-activity; sid:2012101107;)
alert ip any any -> ![192.168.0.0/16] any (msg:"IP Match Test 8"; classtype:misc-activity; sid:2012101108;)
alert ip 192.168.0.0/16 any -> any any (msg:"IP No Match Test 9"; classtype:misc-activity; sid:2012101109;)
Tests 1,2,3,4 & 9 work as expected, with 1-4 generating alerts and 9 not generating alerts.
Tests 5,6,7 & 8 all fail in that they should be generating alerts, but are not.
Updated by Victor Julien about 12 years ago
- Status changed from New to Assigned
- Assignee set to Anoop Saldanha
- Target version set to 1.4beta3
Maybe the ip-only code doesn't handle negated matching very well.
Can you add unittests?
A quick fix may be to exclude rules with negated addresses from ip only, but ideally we'd just support it properly.
Updated by Anoop Saldanha about 12 years ago
Going for the quick fix for now.
Will add the unittests as well.
Updated by Anoop Saldanha about 12 years ago
[192.168.0.0/16,!192.168.1.0/24,192.168.1.1]
What would be the interpretation for this?
Is it,
192.168.0.0 - 192.168.0.255, 192.168.1.1 - 192.168.1.1, 192.168.2.0 - 192.168.255.255?
Updated by Anoop Saldanha about 12 years ago
Should
[192.168.1.0/24, ![192.168.1.10 - 192.168.1.40], 192.168.1.20 - 192.168.1.30]
be
192.168.1.0-192.168.1.9,
192.168.1.20-192.168.1.30,
192.168.1.41-192.168.1.255
or
192.168.1.0-192.168.1.9
192.168.1.41-192.168.1.255
?
Updated by Victor Julien almost 12 years ago
- Target version changed from 1.4beta3 to 1.4rc1
Updated by Anoop Saldanha almost 12 years ago
- % Done changed from 0 to 30
https://github.com/inliniac/suricata/pull/223
Temporary fix.
Updated by Victor Julien almost 12 years ago
- Status changed from Assigned to Closed
- Priority changed from High to Normal
- % Done changed from 30 to 100
Merged, thanks Anoop!
Updated by Anoop Saldanha almost 12 years ago
- Priority changed from Normal to High
- Target version changed from 1.4rc1 to 1.4beta3
- % Done changed from 100 to 0
- Inspect the existence of this bug on 1.3x branch and fix if it exists.
Updated by Victor Julien almost 12 years ago
- Priority changed from High to Normal
- Target version changed from 1.4beta3 to 1.4rc1
If the issue exists on 1.3.x as well, please open a ticket for 1.3.5.