Project

General

Profile

Actions
Copy link

Bug #6559

open

Signatures starting with space have invalid diagnosis

Added by Nicolas Frisoni 12 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
Effort:
Difficulty:
Label:

Description

Signature:

Starting with no space

alert tcp any any -> $DCNET any (msg: "test"; content: "toto"; sid: 1;)

Starting with space

 alert tcp any any -> $DCNET any (msg: "test"; content: "toto"; sid: 1;)

Suricata 6.0.10

Starting with no space

{"timestamp":"2023-11-20T09:53:42.141885+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T09:53:42.141941+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T09:53:42.141947+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol imap enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T09:53:42.148911+0100","log_level":"Error","event_type":"engine","engine":{"error_code":101,"error":"SC_ERR_UNDEFINED_VAR","message":"Variable \"DCNET\" is not defined in configuration file"}}
{"timestamp":"2023-11-20T09:53:42.148933+0100","log_level":"Error","event_type":"engine","engine":{"error_code":39,"error":"SC_ERR_INVALID_SIGNATURE","message":"error parsing signature \"alert tcp any any -> $DCNET any (msg: \"test\"; content: \"toto\"; sid: 1;)\" from file \/tmp\/tmpjkqi4i2t\/file.rules at line 1"}}
{"timestamp":"2023-11-20T09:53:42.148939+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"1 rule files specified, but no rules were loaded!"}}
{"timestamp":"2023-11-20T09:53:42.148951+0100","log_level":"Error","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"Loading signatures failed."}}

Here we have err 101 "Variable \"DCNET\""

Starting with space

{"timestamp":"2023-11-20T11:37:21.691625+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T11:37:21.691697+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol http2 enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T11:37:21.691704+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol imap enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}
{"timestamp":"2023-11-20T11:37:21.698308+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":43,"error":"SC_ERR_NO_RULES_LOADED","message":"1 rule files specified, but no rules were loaded!"}}
{"timestamp":"2023-11-20T11:37:21.698423+0100","log_level":"Warning","event_type":"engine","engine":{"error_code":242,"error":"SC_ERR_CONF_YAML_ERROR","message":"App-Layer protocol http enable status not set, so enabling by default. This behavior will change in Suricata 7, so please update your config. See ticket #4744 for more details."}}

We don t have err 101 "Variable \"DCNET\""

Suricata 7.0.1

Starting with no space

{"timestamp":"2023-11-20T11:41:56.083558+0100","log_level":"Error","event_type":"engine","engine":{"message":"Variable \"DCNET\" is not defined in configuration file","thread_name":"Suricata-Main","module":"rule-vars"}}
{"timestamp":"2023-11-20T11:41:56.083586+0100","log_level":"Error","event_type":"engine","engine":{"message":"error parsing signature \"alert tcp any any -> $DCNET any (msg: \"test\"; content: \"toto\"; sid: 1;)\" from file /tmp/tmpjkqi4i2t/file.rules at line 1","thread_name":"Suricata-Main","module":"detect"}}
{"timestamp":"2023-11-20T11:41:56.083592+0100","log_level":"Warning","event_type":"engine","engine":{"message":"1 rule files specified, but no rules were loaded!","thread_name":"Suricata-Main","module":"detect"}}
{"timestamp":"2023-11-20T11:41:56.083601+0100","log_level":"Error","event_type":"engine","engine":{"message":"Loading signatures failed.","thread_name":"Suricata-Main","module":"suricata"}}

We have err "Variable \"DCNET\""

Starting with space

{"timestamp":"2023-11-20T11:43:43.722560+0100","log_level":"Warning","event_type":"engine","engine":{"message":"1 rule files specified, but no rules were loaded!","thread_name":"Suricata-Main","module":"detect"}}
{"timestamp":"2023-11-20T11:43:43.722591+0100","log_level":"Warning","event_type":"engine","engine":{"message":"Error opening file: \"/usr/local/etc/suricata//threshold.config\": No such file or directory","thread_name":"Suricata-Main","module":"threshold-config"}}

We don t have err "Variable \"DCNET\""

Expected Results

A rule starting or not with a space should have same output errors.

No data to display

Actions
Copy link

Also available in: Atom PDF