Project

General

Profile

Bug #6483

Updated by Brandon Murphy 11 months ago

h1. Description 

 When testing multiple iterations of a signature which contained @http.request_headers@, I found that enabling one signature, which should not alert, caused another signature, which should alert, to _not_ alert.  

 h1. Reproduction steps 

 1. Using Suricata version 7.0.3-dev (46a46e5b1 2023-11-07) enable the following rules 
 <pre> 
 ## contains trailing |0d 0a| in pcre and does not fire, and should not fire, but when this rule is enabled, causes sid:3 to not fire 
 alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ws"; endswith; http.user_agent; content:"Go|2d|http|2d|client|2f|1|2e|1"; http.connection; content:"Upgrade"; bsize:7; http.request_header; content:"Key|3a 20|"; startswith; pcre:"/^(?:[a-z0-9]{64})\x0d\x0a/R"; sid:2;) 

 ## doesn't contain |0d 0a|, should fire and fires by itself, but not when above rule is enabled. 
 alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ws"; endswith; http.user_agent; content:"Go|2d|http|2d|client|2f|1|2e|1"; http.connection; content:"Upgrade"; bsize:7; http.request_header; bsize:69; content:"Key|3a 20|"; startswith; pcre:"/^(?:[a-z0-9]{64})$/R"; sid:3;) 

 </pre> 

 2. Run Suricata against the attached pcap 
 3. Observe that no alerts are produced 
 4. Now disable sid:2 
 5. Observe that sid:3 now alerts 

 h1. Expected Behavior 

 Sid:3 should alert regardless of the state of sid:2; 

 h1. Observations 

 
 if the \x0d\x0a is removed from sid:2, sid:2 and sid:3 fires as expected 

 The following rule which uses http.header alerts fine, this appears to isolate the issue to @http.request_header@ 
 <pre> 
 ## uses http.header and should fire.    Does fire regardless of other rules 
 alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ws"; endswith; http.user_agent; content:"Go|2d|http|2d|client|2f|1|2e|1"; http.connection; content:"Upgrade"; bsize:7; http.header; content:"Key|3a 20|"; pcre:"/^(?:[a-z0-9]{64})\x0d\x0a/R"; sid:20;) 
 </pre> 

Back