Project

General

Profile

Actions
Copy link

Bug #6177

open

detect-engine: stream match for rules is interdependent

Added by Shivani Bhardwaj over 1 year ago.

Status:
Assigned
Priority:
Normal
Assignee:
Victor Julien
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

For rules mentioned in the s-v test https://github.com/OISF/suricata-verify/blob/master/tests/bug-2917/test.rules

and for the following debug statement:

diff --git a/src/detect-engine.c b/src/detect-engine.c
index 83756018c..7b317142a 100644
--- a/src/detect-engine.c
+++ b/src/detect-engine.c
@@ -531,6 +531,7 @@ static void AppendStreamInspectEngine(
     if (unlikely(new_engine == NULL)) {
         exit(EXIT_FAILURE);
     }
+    SCLogNotice("mpm_sm_list: %d for sid: %d", s->init_data->mpm_sm_list, s->id);
     if (s->init_data->mpm_sm_list == DETECT_SM_LIST_PMATCH) {
         SCLogDebug("stream is mpm");
         prepend = true;

one gets the following output:

Notice: detect: mpm_sm_list: -1 for sid: 1371257161 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: -1 for sid: 1371257161 [AppendStreamInspectEngine:detect-engine.c:534]

However, if the rule with sid: 5 was removed from the test, one would get the output as follows:

Notice: detect: mpm_sm_list: -1 for sid: 2 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: -1 for sid: 2 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: 1 for sid: 4 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: 1 for sid: 4 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: -1 for sid: 1371257161 [AppendStreamInspectEngine:detect-engine.c:534]
Notice: detect: mpm_sm_list: -1 for sid: 1371257161 [AppendStreamInspectEngine:detect-engine.c:534]

It would be expected that the rules have no dependency among one another and each be dealt separately but this case shows that it is not the case.

Related issues 1 (0 open1 closed)

Related to Suricata - Bug #2917: Unable to find the sm in any of the sm listsClosedShivani BhardwajActions
Actions
Copy link

Also available in: Atom PDF