Skip to content

detect: warning on rule with pcre only on stream #11878

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
catenacyber wants to merge 1 commit into from
Closed

detect: warning on rule with pcre only on stream #11878

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions src/detect-content.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -453,6 +453,22 @@ void SigParseRequiredContentSize(
*/
bool DetectContentPMATCHValidateCallback(const Signature *s)
{
bool has_pcre = false;
bool has_other = false;
for (SigMatch *sm = s->init_data->smlists[DETECT_SM_LIST_PMATCH]; sm != NULL; sm = sm->next) {
if (sm->type == DETECT_PCRE) {
has_pcre = true;
} else {
has_other = true;
}
}
if (has_pcre && !has_other && s->init_data->sm_cnt == 1) {
SCLogWarning("signature id %d uses pcre on raw stream", s->id);
Copy link
Member

@victorjulien victorjulien Oct 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would like to remove this warning, and move it to the rule analyzer instead

Copy link
Contributor Author

@catenacyber catenacyber Oct 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the rule analyzer ? Is it not only run with --engine-analysis ?

I want fuzzing on rules + pcap to skip these bad rules by erroring on it, so that oss-fuzz can find other timeouts

Copy link
Member

@victorjulien victorjulien Oct 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, talking only about the SCLogWarning statement. Analyzer is --engine-analysis.

Copy link
Contributor Author

@catenacyber catenacyber Oct 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, so we already have warn_pcre_no_content in --engine-analysis

#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
return false;
#endif
}

if (!(s->flags & SIG_FLAG_DSIZE)) {
return true;
}
Expand Down