Suricata

Check your Rules for Absolute and Relative Dataset Filenames¶

The following grep command will look at all rule files in /var/lib/suricata/rules that try to write to a dataset using an absolute path name or a path name that traverses to the parent directory.

grep -E 'dataset:.*(state|save)\s+(.*\.\.|/)' /var/lib/suricata/rules/*.rules

Use Suricata-Update to Disable Rules with Absolute or Parent Dataset Paths¶

In /etc/suricata/disable.conf, a regular expression can be added to disable rules that attempt to write to a dataset filename either to an absolute pathname, or paths that contain ..:

re:dataset:.*?(save|state)\s+(.*\.\.|/).*?;

Notes¶

Test Rules¶

The above commands were tested with the following rules:

alert dns any any -> any any (msg:"dataset normal"; dns.query; to_sha256; dataset: isset, dns-sha256-seen, type md5, state dns-sha256-seen.lst; sid:1000000; rev:1;)
alert dns any any -> any any (msg:"dataset absolute"; dns.query; to_sha256; dataset: isset, absolute, type md5, state /absolute.lst; sid:2; rev:1000001;)
alert dns any any -> any any (msg:"dataset parent"; dns.query; to_sha256; dataset: isset, parent, type md5, state ../absolute.lst; sid:3; rev:1000002;)
alert dns any any -> any any (msg:"dataset save parent"; dns.query; to_sha256; dataset: isset, parent-save, type md5, save ../save-absolute.lst; sid:1000003; rev:1;)
alert dns any any -> any any (msg:"static"; dns.query; to_sha256; dataset: isset, static, type md5, load static.list; sid:1000004; rev:1;)
alert dns any any -> any any (msg:"relative inside"; dns.query; to_sha256; dataset: isset, relative-inside, type md5, save foo/../../bar; sid:1000005; rev:1;)