]> git.ipfire.org Git - thirdparty/suricata-update.git/commitdiff
rules: fix parsing of address lists
authorJason Ish <jason.ish@oisf.net>
Wed, 2 Jul 2025 17:52:27 +0000 (11:52 -0600)
committerJason Ish <jason.ish@oisf.net>
Wed, 2 Jul 2025 18:34:29 +0000 (12:34 -0600)
The previous parser just looked for the next "]" to find the end of a
list without respect for list depth. Instead step through the array
tracking the depth of the nested lists.

Ticket: #7799

suricata/update/rule.py
tests/test_rule.py

index 169af6ce1a5a52cba9d90da8197b29cc234b9fa6..20ff868c66cb7b4369602f8eb95528405903747e 100644 (file)
@@ -212,9 +212,16 @@ def parse(buf, group=None):
             if not rem:
                 return None
             if rem[0] == "[":
-                end = rem.find("]")
-                if end < 0:
-                    return
+                depth = 1
+                end = 0
+                while depth > 0:
+                    end += 1
+                    if end >= len(rem):
+                        return
+                    if rem[end] == "[":
+                        depth += 1
+                    elif rem[end] == "]":
+                        depth -= 1
                 end += 1
                 token = rem[:end].strip()
                 rem = rem[end:].strip()
index c5808d827534f95c8039b9ba346a2c15451685df..a034117f79ff1ffc44a71126e2ab132b1fbdbe9a 100644 (file)
@@ -254,3 +254,11 @@ alert dnp3 any any -> any any (msg:"SURICATA DNP3 Request flood detected"; \
         rule = suricata.update.rule.parse(rule_string)
         self.assertIsNotNone(rule)
         self.assertTrue("ja3" in rule["features"])
+
+    def test_parse_var_lists(self):
+        rule_string = u"""alert http [any,![$EXTERNAL_IP,$REVERSE_PROXY_HOSTS,$ODD_HTTP_HOSTS]] any -> [any,![$EXTERNAL_IP,$REVERSE_PROXY_HOSTS,$ODD_HTTP_HOSTS]] 80 (msg:"TEST Unknown var"; sid: 99000003; rev: 1;)"""
+        rule = suricata.update.rule.parse(rule_string)
+        self.assertEqual(rule["source_addr"], "[any,![$EXTERNAL_IP,$REVERSE_PROXY_HOSTS,$ODD_HTTP_HOSTS]]")
+        self.assertEqual(rule["source_port"], "any")
+        self.assertEqual(rule["dest_addr"], "[any,![$EXTERNAL_IP,$REVERSE_PROXY_HOSTS,$ODD_HTTP_HOSTS]]")
+        self.assertEqual(rule["dest_port"], "80")