suricata icon indicating copy to clipboard operation
suricata copied to clipboard
verified publisher icon OISF

Backport of detect/content: account for distance variables

Open jlucovsky opened this issue 6 months ago • 2 comments

Under some cases (below), the depth and offset values are used twice. This commit disregards the distance variable (if any), when computing the final depth.

These rules are logically equivalent:

  1. alert tcp any any -> any 8080 (msg:"distance name"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:option_len; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:1;)
  2. alert tcp any any -> any 8080 (msg:"distance number"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:7; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:2;)

The differences: Rule 1: content:!"|38|"; distance:option_len; within:1; //option_len == 7

Rule 2: content:!"|38|"; distance:7; within:1;

Without this commit, rule 2 triggers an alert but rule 1 doesn't.

Issue: 7390 (cherry picked from commit ace0d3763674a8dc624ad1f1744ea7442cd86d43)

Link to ticket: https://redmine.openinfosecfoundation.org/issues/7748

Describe changes:

  • Backport of 7390

Provide values to any of the below to override the defaults.

  • To use a Suricata-Verify or Suricata-Update pull request, link to the pull request in the respective _BRANCH variable.
  • Leave unused overrides blank or remove.

SV_REPO= SV_BRANCH=https://github.com/OISF/suricata-verify/pull/2561 SU_REPO= SU_BRANCH=

jlucovsky avatar Jun 10 '25 13:06 jlucovsky

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 81.53%. Comparing base (0e9d05b) to head (e6e61b1). Report is 3 commits behind head on main-7.0.x.

Additional details and impacted files 
@@             Coverage Diff             @@
##           main-7.0.x   #13416   +/-   ##
===========================================
  Coverage       81.53%   81.53%           
===========================================
  Files             922      922           
  Lines          261682   261682           
===========================================
+ Hits           213368   213374    +6     
+ Misses          48314    48308    -6
Flag Coverage Δ
fuzzcorpus 61.41% <100.00%> (+0.04%) :arrow_up:
suricata-verify 63.84% <100.00%> (-0.02%) :arrow_down:
unittests 62.33% <100.00%> (-0.01%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Jun 10 '25 15:06 codecov[bot]

WARNING:

field baseline test %
SURI_TLPR1_stats_chk
.uptime 635 657 103.46%

Pipeline = 26478

suricata-qa avatar Jun 10 '25 17:06 suricata-qa

Merged in #13440, thanks!

victorjulien avatar Jun 16 '25 12:06 victorjulien