Bug #12956
closed
suricata fails to use pcre in SID management (e.g. dropsid.conf)
0%
Description
In suricata/suricata.inc, under "Test the SID token for the PCRE: keyword", the match for the regular expression will be quoted as follows:
$regex = '/' . preg_quote($matches[2], '/') . '/i';
This defeats the purpose of having the "pcre:" tag in the first place as this means that only the literal string will be matched. If it worked at all previously, this is a major regression for things like dropsid.conf because once-working drop rules will be no longer drop rules.
Updated by Adam CM about 2 years ago
Indeed, I've found the commit that caused the regression:
https://github.com/pfsense/FreeBSD-ports/commit/9d8801b49861b259a180b26ebdcb97173a6e6b52
Updated by Marcos M about 2 years ago
- Status changed from New to Closed
- Priority changed from Very High to Normal
The commit says it resolves issue #10244. The reasoning given there is:
The chosen solution was to mimic the current Snort behavior by calling preg_quote() with the user-supplied pcre search string to insure any embedded '/' characters are properly escaped. The comments in the SID MGM configuration file examples state that when using the "pcre" keyword that inclusion of the '/' delimiters is NOT required.
I understand that to mean that pcre can still be used, but the pattern delimiters do not need to be included. If there is one, details showing the issue should be provided. It's probably best to take this to the forums at this point. Given these reasons, I am closing this for now.
Updated by Marcos M about 2 years ago
- Status changed from Closed to Confirmed
I'm reopening this issue, as the function preg_quote escapes all special characters, rather than just delimiters.
https://www.php.net/manual/en/function.preg-quote.php
Indeed, this patch does make pcre significantly less effective, and it doesn't seem worth it for the benefit of input validation.
Updated by Bill Meeks almost 2 years ago
The logic has been changed back to the original behavior by removing the preg_quote() wrapping of the PCRE keyword when using SID MGMT tab features. See pull request here: https://github.com/pfsense/FreeBSD-ports/pull/1179.
Updated by Bill Meeks almost 2 years ago
The pull request has been merged to correct this issue and it can be marked "Resolved".