aiden
/
suricata
mirror of https://github.com/OISF/suricata
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

detect: fix bug where rule without sid is accepted

Browse Source 
Before, if Suricata parsed a rule without a 'sid' option, instead of
failing that rule, the rule was parsed and attributed a sid 0.
Changes to:
detect-parse:
- add logic to filter out rules without sid;
- change unittest which didn't have a sid, but used to pass.
detect-sid: add unittest for rules without sid or with sid: 0
pull/6261/head
Juliana Fajardini 4 years ago committed by Victor Julien
parent 0eefd90a93
commit a15fada727
2 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File

10
src/detect-parse.c
Unescape Escape View File

@ -1889,6 +1889,10 @@ static int SigValidate(DetectEngineCtx *de_ctx, Signature *s)
SCReturnInt(0);
}
}
if (s->id == 0) {
SCLogError(SC_ERR_INVALID_SIGNATURE, "Signature missing required value \"sid\".");
SCReturnInt(0);
}
SCReturnInt(1);
}
@ -2807,13 +2811,15 @@ static int SigParseTest11(void)
Signature *s = NULL;
s = DetectEngineAppendSig(de_ctx, "drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\";) ");
s = DetectEngineAppendSig(de_ctx,
"drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\"; sid:1;) ");
if (s == NULL) {
printf("sig 1 didn't parse: ");
goto end;
}
s = DetectEngineAppendSig(de_ctx, "drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking the http link\"; sid:1;) ");
s = DetectEngineAppendSig(de_ctx, "drop tcp any any -> any 80 (msg:\"Snort_Inline is blocking "
"the http link\"; sid:2;) ");
if (s == NULL) {
printf("sig 2 didn't parse: ");
goto end;

17
src/detect-sid.c
Unescape Escape View File

@ -119,6 +119,22 @@ static int SidTestParse03(void)
PASS;
}
static int SidTestParse04(void)
{
DetectEngineCtx *de_ctx = DetectEngineCtxInit();
FAIL_IF_NULL(de_ctx);
FAIL_IF_NOT_NULL(DetectEngineAppendSig(
de_ctx, "alert tcp any any -> any any (content:\"ABC\"; sid: 0;)"));
/* Let's also make sure that Suricata fails a rule which doesn't have a sid at all */
FAIL_IF_NOT_NULL(
DetectEngineAppendSig(de_ctx, "alert tcp any any -> any any (content:\"ABC\";)"));
DetectEngineCtxFree(de_ctx);
PASS;
}
/**
* \brief Register DetectSid unit tests.
*/
@ -127,5 +143,6 @@ static void DetectSidRegisterTests(void)
UtRegisterTest("SidTestParse01", SidTestParse01);
UtRegisterTest("SidTestParse02", SidTestParse02);
UtRegisterTest("SidTestParse03", SidTestParse03);
UtRegisterTest("SidTestParse04", SidTestParse04);
}
#endif /* UNITTESTS */
Write Preview
Loading…
Cancel
Save