Bug #7361
Updated by Jason Ish about 2 months ago
For example, we have these DNS engine rules: <pre> alert dns any any -> any any (msg:"SURICATA DNS Not a request"; flow:to_server; app-layer-event:dns.not_a_request; classtype:protocol-command-decode; sid:2240004; rev:2;) alert dns any any -> any any (msg:"SURICATA DNS Not a response"; flow:to_client; app-layer-event:dns.not_a_response; classtype:protocol-command-decode; sid:2240005; rev:2;) </pre> The problem is that @dns.not_a_request@ and @dns.not_a_response@ are not valid, as they are actually @dns.not_request@ and @dns.not_response@. We have a few more as well that are now detected in Suricata git-master: <pre> Warning: detect-app-layer-event: app-layer-event keyword's protocol "dns" doesn't have event "not_a_request" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262] Warning: detect-app-layer-event: app-layer-event keyword's protocol "dns" doesn't have event "not_a_response" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262] Warning: detect-app-layer-event: app-layer-event keyword's protocol "http2" doesn't have event "invalid_http1_settings" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262] Warning: detect-app-layer-event: app-layer-event keyword's protocol "ike" doesn't have event "weak_crypto_nodh" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262] Warning: detect-app-layer-event: app-layer-event keyword's protocol "ike" doesn't have event "weak_crypto_noauth" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262] Warning: detect-app-layer-event: app-layer-event keyword's protocol "modbus" doesn't have event "invalid_unit_identifier" registered [DetectAppLayerEventSetup:detect-app-layer-event.c:262] </pre> The issue is due to mixing of @int@ and @uint8_t@, in particular over Rust FFI. Cleanup of mixed types for event IDs was fixed in git master, but only as a cleanup, but clearly its more. PR: https://github.com/OISF/suricata/pull/12019 I suggest that work is backported. In both master and 7.0 the rules need to be fixed up, which is why I'm targeting for 8 with backport to 7. This is probably another case where using that uses bindgen (#7341) for C to Rust bindings may have helped, however mixing int and u8 could also have issues with C as well.