Project

General

Profile

Actions
Copy link

Bug #7326

open

detect/multi-buffer/prefilter: false negative if the first packet does not have all occurences with http.request_header

Added by Philippe Antoine 17 days ago. Updated 17 days ago.

Status:
In Review
Priority:
Normal
Assignee:
Philippe Antoine
Target version:
8.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Found while working on #5576

Rules should match the same whatever their fast_pattern is, but

alert http any any -> any any ( sid: 2; http.stat_code; content: "200"; fast_pattern; http.response_header; content: "first";)
alert http any any -> any any ( sid: 3; http.stat_code; content: "200"; http.response_header; content: "first"; fast_pattern;)

will have the first one matching and not the second one with
import socket
import time

HOST = "127.0.0.1"  # Standard loopback interface address (localhost)
PORT = 8001  # Port to listen on (non-privileged ports are > 1023)

with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
    s.bind((HOST, PORT))
    s.listen()
    conn, addr = s.accept()
    with conn:
        print(f"Connected by {addr}")
        while True:
            data = conn.recv(1024)
            if not data:
                break
            conn.sendall(b"HTTP/1.0 200 OK\nServer: custom\n")
            conn.sendall(b"Header1: first\n")
            time.sleep(1)
            conn.sendall(b"Content-type: text\n")
            conn.sendall(b"X-first: secret\n")
            conn.sendall(b"Content-Length: 14\n\n")
            time.sleep(1)
            conn.sendall(b"see you later!")

Subtasks 1 (1 open0 closed)

Bug #7327: detect/multi-buffer/prefilter: false negative if the first packet does not have all occurences (7.0.x backport)AssignedOISF DevActions

Related issues 1 (1 open0 closed)

Related to Suricata - Bug #5576: Dataset is setting data despite the signature being a complete matchIn ReviewPhilippe AntoineActions
Actions
Copy link

Also available in: Atom PDF