gonids
gonids copied to clipboard
google
Errors parsing network info
Hi,
refering to network examples in these sections of docs:
Negated lists
s := `alert tcp any any -> any ![80,443,9000] (msg:"test"; content:"123"; sid:1; rev:1;)`
r, _ := gonids.ParseRule(s)
fmt.Println(r)
outputs
alert tcp any any -> any [![80,443,9000] (msg:"test"; content:"123"; sid:1; rev:1;)
and
s := `alert tcp any any -> ![1.1.1.1,1.1.1.2] any (msg:"test"; content:"123"; sid:1; rev:1;)`
r, _ := gonids.ParseRule(s)
fmt.Println(r)
outputs
alert tcp any any -> [![1.1.1.1,1.1.1.2] any (msg:"test"; content:"123"; sid:1; rev:1;)
which is invalid.
Spaces in network components
Gonids outputs error when network components contain spaces. Spaces in list of IPs(ranges)/ports are valid based on the examples in docs and my experiments.
s := `alert tcp any any -> [1.1.1.1, 1.1.1.2] any (msg:"test"; content:"123"; sid:1; rev:1;)`
_, err := gonids.ParseRule(s)
if err != nil {
fmt.Println(err)
}
outputs
network component contains spaces: 1.1.1.2] any
Same it goes for list of ports.
Can you please give me any hints where in gonids these issues can be addressed?
Hey Daniel, I suspect the bugs will be in the String() functions for the various components.
For Network issues, it's likely to be in [0][1]. The String() for a Rule that calls this is at[2]
The error being thrown during parsing of network definitions with spaces is at[3]
[0] https://github.com/google/gonids/blob/197084007ae92b914688f9dd9e6bda5f6525b7e4/rule.go#L665 [1] https://github.com/google/gonids/blob/197084007ae92b914688f9dd9e6bda5f6525b7e4/rule.go#L647 [2] https://github.com/google/gonids/blob/197084007ae92b914688f9dd9e6bda5f6525b7e4/rule.go#L894 [3] https://github.com/google/gonids/blob/197084007ae92b914688f9dd9e6bda5f6525b7e4/parser.go#L420
