Bug #7390
openbyte_extract: issue with saved 'name' in distance keyword
Description
No | Difference | Rule |
---|---|---|
1 | content:!"|38|"; distance:option_len; within:1; //option_len == 7 |
alert tcp any any -> any 8080 (msg:"distance name"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:option_len; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:1;) |
2 | content:!"|38|"; distance:7; within:1; |
alert tcp any any -> any 8080 (msg:"distance number"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:7; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:2;) |
In theory, the two detection rules mentioned above are identical. However, during detection testing, Rule 1 does not trigger any detections, while only Rule 2 is being detected.
Upon reviewing and analyzing the debug logs, it appears that the following code in 'detect-engine-content-inspection.c' may be the cause:
// Line : 254-256 if (cd->flags & (DETECT_CONTENT_DISTANCE_VAR|DETECT_CONTENT_OFFSET_VAR|DETECT_CONTENT_DEPTH_VAR)) { depth += offset; }
Since the analysis was conducted briefly, it may not be the definitive cause, so please consider this as a reference only.
If you need any further assistance, feel free to ask!
P.S. The tests were conducted on the latest version, 7.0.7, and I have also attached the PCAP file used for the detection test.
Files
Updated by Minuk Cha about 2 months ago
It has been confirmed that the same issue occurs when using the 'name' value saved with the 'byte_math' option
Updated by Victor Julien about 1 month ago
- Subject changed from Bug Occurs When Using 'name' Saved with 'byte_extract' Option as Value for 'distance' Option to byte_extract: issue with saved 'name' in distance keyword
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Jeff Lucovsky
- Priority changed from Urgent to Normal
- Target version changed from TBD to 8.0.0-beta1
@Minuk Cha can you create a Suricata Verify test for this at https://github.com/OISF/suricata-verify
Updated by Minuk Cha about 1 month ago
@Victor Julien After downloading the files from 'https://github.com/OISF/suricata-verify', should I refer to the 'README' to proceed?
I haven't done a Suricata Verify test before, so I'm not sure what to do...
Updated by Jeff Lucovsky about 1 month ago
I can create the suricata-verify test; do you have a pcap that demonstrates the issue?
Updated by Minuk Cha about 1 month ago
The content written in the issue and the attached file are the detection rules and the PCAP file that I used for testing.