Bug #6483
Updated by Brandon Murphy 11 months ago
h1. Description When testing multiple iterations of a signature which contained @http.request_headers@, I found that enabling one signature, which should not alert, caused another signature, which should alert, to _not_ alert. h1. Reproduction steps 1. Using Suricata version 7.0.3-dev (46a46e5b1 2023-11-07) enable the following rules <pre> ## contains trailing |0d 0a| in pcre and does not fire, and should not fire, but when this rule is enabled, causes sid:3 to not fire alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ws"; endswith; http.user_agent; content:"Go|2d|http|2d|client|2f|1|2e|1"; http.connection; content:"Upgrade"; bsize:7; http.request_header; content:"Key|3a 20|"; startswith; pcre:"/^(?:[a-z0-9]{64})\x0d\x0a/R"; sid:2;) ## doesn't contain |0d 0a|, should fire and fires by itself, but not when above rule is enabled. alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ws"; endswith; http.user_agent; content:"Go|2d|http|2d|client|2f|1|2e|1"; http.connection; content:"Upgrade"; bsize:7; http.request_header; bsize:69; content:"Key|3a 20|"; startswith; pcre:"/^(?:[a-z0-9]{64})$/R"; sid:3;) </pre> 2. Run Suricata against the attached pcap 3. Observe that no alerts are produced 4. Now disable sid:2 5. Observe that sid:3 now alerts h1. Expected Behavior Sid:3 should alert regardless of the state of sid:2; h1. Observations if the \x0d\x0a is removed from sid:2, sid:2 and sid:3 fires as expected The following rule which uses http.header alerts fine, this appears to isolate the issue to @http.request_header@ <pre> ## uses http.header and should fire. Does fire regardless of other rules alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.method; content:"GET"; http.uri; content:"/ws"; endswith; http.user_agent; content:"Go|2d|http|2d|client|2f|1|2e|1"; http.connection; content:"Upgrade"; bsize:7; http.header; content:"Key|3a 20|"; pcre:"/^(?:[a-z0-9]{64})\x0d\x0a/R"; sid:20;) </pre>