Bug #6177: detect-engine: stream match for rules is interdependent - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #6177

open

detect-engine: stream match for rules is interdependent

Added by Shivani Bhardwaj over 1 year ago.

Status:

Assigned

Priority:

Normal

Assignee:

Victor Julien

Target version:

TBD

Affected Versions:

Effort:

Difficulty:

Label:

Description

For rules mentioned in the s-v test https://github.com/OISF/suricata-verify/blob/master/tests/bug-2917/test.rules

and for the following debug statement:

diff --git a/src/detect-engine.c b/src/detect-engine.c
index 83756018c..7b317142a 100644
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -531,6 +531,7 @@ static void AppendStreamInspectEngine(
     if (unlikely(new_engine == NULL)) {
         exit(EXIT_FAILURE);
     }
+    SCLogNotice("mpm_sm_list: %d for sid: %d", s->init_data->mpm_sm_list, s->id);
     if (s->init_data->mpm_sm_list == DETECT_SM_LIST_PMATCH) {
         SCLogDebug("stream is mpm");
         prepend = true;

one gets the following output:

Notice: detect: mpm_sm_list: -1 for sid: 1371257161 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: -1 for sid: 1371257161 [AppendStreamInspectEngine:detect-engine.c:534]

However, if the rule with sid: 5 was removed from the test, one would get the output as follows:

Notice: detect: mpm_sm_list: -1 for sid: 2 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: -1 for sid: 2 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: 1 for sid: 4 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: 1 for sid: 4 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: -1 for sid: 1371257161 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: -1 for sid: 1371257161 [AppendStreamInspectEngine:detect-engine.c:534]

It would be expected that the rules have no dependency among one another and each be dealt separately but this case shows that it is not the case.

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by Shivani Bhardwaj over 1 year ago

Related to Bug #2917: Unable to find the sm in any of the sm lists added

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #6177

detect-engine: stream match for rules is interdependent

Updated by Shivani Bhardwaj over 1 year ago