[Oisf-devel] http_raw_uri and relative offset request

Victor Julien victor at inliniac.net
Mon Jan 16 13:27:24 UTC 2012 

On 01/14/2012 01:00 AM, eileen donlon wrote:
> Here is a patch against the current git master for review. Lightly
> tested; pcre unittests pass.

I think the patch is wrong for 2 reasons:

1) it creates a null-dereference case. The condition is only reachable
if prev_sm == NULL. If the error condition is removed we continue to
this line:
    switch (prev_sm->type) {

2) As prev_sm will be NULL we won't inform the content match to expect a
relative match coming up. This means the detection engine will not
consider the upcoming relative pcre (properly).

Cheers,
Victor

> Regards,
> Eileen
> 
> On Fri, Jan 13, 2012 at 4:53 PM, eileen donlon <emdonlo at gmail.com
> <mailto:emdonlo at gmail.com>> wrote:
> 
>     Hi,
> 
>     Sorry, it still doesn't work. The error doesn't occur regardless of
>     the nocase/http_raw_uri order if there is no pcre. My apologies.
> 
>     Thanks,
>     Eileen
> 
> 
>     On Fri, Jan 13, 2012 at 5:46 PM, rmkml <rmkml at yahoo.fr
>     <mailto:rmkml at yahoo.fr>> wrote:
> 
>         Thx you eileen,
>         can you send a modified sig work please?
>         Regards
>         Rmkml
> 
> 
> 
>         On Fri, 13 Jan 2012, eileen donlon wrote:
> 
>             Hi,
> 
>             Confirmed. Can you please put in a ticket?
> 
>             As a workaround, it seems to load ok if you put the
>             http_raw_uri before the nocase.
>              
>             Thanks,
>             Eileen
> 
>             On Fri, Jan 13, 2012 at 5:15 PM, rmkml <rmkml at yahoo.fr
>             <mailto:rmkml at yahoo.fr>> wrote:
>                  Hi,
>                  Im test suricata v1.2rc1 and I have a request please
>             (if anyone confirm of course)
>                  ok, create a sig with `content:"/test"; nocase;
>             http_raw_uri; pcre:"/^abc/Rsmi";`
> 
>                  suricata send error:
>                  [13087] 13/1/2012 -- 22:53:20 - (detect-pcre.c:1193)
>             <Error> (DetectPcreSetup) -- [ERRCODE:
>             SC_ERR_INVALID_SIGNATURE(39)] - No preceding content or
>             uricontent or pcre option
> 
>                  but uri work with snort: GET /testabc HTTP/1.0...
>                  `http_raw_uri` are little bit special because permit
>             relative offset...
>                  (http_raw_uri are like content but pattern searching
>             only on http uri)
> 
>                  if Anyone confirm, Im create a new ticket...
>                  Regards
>                  Rmkml
>                  ______________________________ _________________
>                  Oisf-devel mailing list
>                  Oisf-devel@ openinfosecfoundation.org
>             <mailto:Oisf-devel at openinfosecfoundation.org>
>                  http://lists. openinfosecfoundation.org/
>             mailman/listinfo/oisf-devel
>             <http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel>
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Oisf-devel mailing list
> Oisf-devel at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list