suricata icon indicating copy to clipboard operation
suricata copied to clipboard

Published 20 hours ago verified publisher icon OISF

detect/filestore: fix options handling and impact

Open regit opened this issue 11 months ago • 24 comments
trafficstars

Update of https://github.com/OISF/suricata/pull/12176

The filestore keyword had an influence on the signature matching when it should not. For example, if Suricata is analysing a traffic with a GET http request to uri /example and have the 2 following signatures loaded:

alert http any any -> any any (msg:"ex"; http.uri; content:"/example"; sid:1; rev:1;) alert http any any -> any any (msg:"ex"; http.uri; content:"/example"; filestore; sid:2; rev:1;)

then the first signature will match and the second one will not.

Also the options of filestore were not honored correctly. A signature like:

alert http any any -> any any (msg:"ex"; http.uri; content:"/example"; filestore:to_client,tx; sid:2; rev:1;)

was not storing the file in the answer to the request.

This patch updates the logic in filestore keyword handling to fix the problems.

The patch first makes sure that a signature with filestore will hit even if there is no file in the current application layer context. Then the patch makes sure that postmatch handles the different options correctly.

As filestore keyword is not anymore preventing a match, we need to update some unit tests that were using this "feature".

Tickets: 7356 7357

Contribution style:

  • [x] I have read the contributing guide lines at https://docs.suricata.io/en/latest/devguide/contributing/contribution-process.html

Our Contribution agreements:

  • [x] I have signed the Open Information Security Foundation contribution agreement at https://suricata.io/about/contribution-agreement/ (note: this is only required once)

Changes (if applicable):

  • [x] I have updated the User Guide (in doc/userguide/) to reflect the changes made
  • [x] I have updated the JSON schema (in etc/schema.json) to reflect all logging changes (including schema descriptions)
  • [x] I have created a ticket at https://redmine.openinfosecfoundation.org/projects/suricata/issues

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7357

Describe changes:

  • rebase code
  • don't filestore before tx triggering the alert
  • put everything in one commit
  • rework the commit message

SV_BRANCH=https://github.com/OISF/suricata-verify/pull/2202

regit avatar Dec 20 '24 07:12 regit