Project

General

Profile

Actions
Copy link

Bug #7637

open

eBPF-Filter containing '=' throws warning due to parsing error

Added by Jascha Sticher 25 days ago. Updated 18 days ago.

Status:
In Progress
Priority:
Normal
Assignee:
Jason Ish
Target version:
1.3.5
Affected Versions:
1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.3.1, 1.3.2, 1.3.4, 1.2.8, 1.3.0, 1.3.3, 1.3.5
Effort:
Difficulty:
Label:

Description

Hi folks,

we recently added an eBPF term to one of our customers' interfaces that contains an equal sign ('=').

This seems to throw off suricata-update (see warning below). Suricata itself does not complain about the term and logs that it is using the correct eBPF filter.

It seems to me that engine.py lines 111ff. (https://github.com/OISF/suricata-update/blob/65bd3d72855a4cbe8bdbd9f2586f5409b3efb6f6/suricata/update/engine.py#L111) are at fault.
Values containing '=' are not supported, as it breaks the two variable assignment.

I am willing to provide code to fix this. The solution I would propose is a simple regex (as re is already used), I took the liberty to create the following commit:
https://github.com/ausecus/suricata-update/commit/fcb6423130b1a394994f47dbfafe8d3877aabf75. Unittests have the same results as in upstream
(https://github.com/ausecus/suricata-update/actions/runs/14192072771), although the are no engine tests yet. I can create some for this case, if necessary.

If you need any additional information, please let me know.

Logs during buggy behaviour

user@hostname:~$ sudo suricata-update --reload-command='suricatasc -c ruleset-reload-nonblocking'
1/4/2025 -- 11:10:12 - <Info> -- Using data-directory /var/lib/suricata.
1/4/2025 -- 11:10:12 - <Info> -- Using Suricata configuration /etc/suricata/suricata.yaml
1/4/2025 -- 11:10:12 - <Info> -- Using /etc/suricata/rules for Suricata provided rules.
1/4/2025 -- 11:10:12 - <Info> -- Found Suricata version 7.0.10 at /usr/bin/suricata.
1/4/2025 -- 11:10:12 - <Info> -- Loading /etc/suricata/disable.conf.
1/4/2025 -- 11:10:12 - <Info> -- Loading /etc/suricata/enable.conf.
1/4/2025 -- 11:10:12 - <Info> -- Loading /etc/suricata/modify.conf.
1/4/2025 -- 11:10:12 - <Info> -- Loading /etc/suricata/drop.conf.
1/4/2025 -- 11:10:12 - <Info> -- Loading /etc/suricata/suricata.yaml
1/4/2025 -- 11:10:12 - <Warning> -- Failed to parse: b'af-packet.1.bpf-filter = not (tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x504f5354 and (dst host <redacted> or src host <redacted>))'                                                                                              
1/4/2025 -- 11:10:12 - <Warning> -- Source index is older than 2 weeks. Please update with suricata-update update-sources.                  
1/4/2025 -- 11:10:12 - <Info> -- Last download less than 15 minutes ago. Not downloading <redacted>.
... snipped normal behaviour
Actions
Copy link
 #1

Updated by Jason Ish 18 days ago

  • Status changed from New to In Progress
  • Assignee set to Jason Ish
  • Target version set to 1.3.5

Fixing coming, decided to just use a maxsplit=1.

Actions
Copy link

Also available in: Atom PDF