Bug #7638: detect: incorrect rule ordering with more complex flowbit chains - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #7638

open

detect: incorrect rule ordering with more complex flowbit chains

Added by Victor Julien 2 days ago. Updated 2 days ago.

Status:

Assigned

Priority:

Normal

Assignee:

Shivani Bhardwaj

Target version:

8.0.0-rc1

Affected Versions:

Effort:

Difficulty:

Label:

Description

alert http any any -> any any (http.uri; content:"down"; flowbits:set,uritest; sid:11;)
alert http any any -> any any (http.user_agent; content:"Mozilla"; flowbits:isset, headtest; flowbits:set,moz; sid:10;)
alert http any any -> any any (http.method; content:"GET"; flowbits:isset,uritest; flowbits:set,headtest; sid:12;)
alert http any any -> any any (http.host; content:"ether"; flowbits:isset,moz; sid:14;)

should be ordered: 11, 12, 10, 14. Is actually ordered: 11, 10, 12, 14. This is because in the ordering there just 3 cases:
set, read, read_set. Sid 10 and 12 are both read_set, and thus correct order isn't enforced.

Actions

Copy link

Updated by Victor Julien 2 days ago

SV test https://github.com/OISF/suricata-verify/pull/2397

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #7638

detect: incorrect rule ordering with more complex flowbit chains

Updated by Victor Julien 2 days ago