]> git.ipfire.org Git - thirdparty/suricata-update.git/commitdiff
matchers: fix regular expression matching 363/head
authorJason Ish <jason.ish@oisf.net>
Tue, 30 Sep 2025 21:57:17 +0000 (15:57 -0600)
committerJason Ish <jason.ish@oisf.net>
Tue, 30 Sep 2025 21:57:17 +0000 (15:57 -0600)
A regular express with multiple ':' was accidentally being parsed as an
ID matcher. Making ID matching more strict.

Ticket: https://redmine.openinfosecfoundation.org/issues/7922

suricata/update/matchers.py
tests/test_matchers.py

index 47178307975f53b51b8e56f9def31a09b549169e..39f7d355188a8f0af176350358b2ccac120e296a 100644 (file)
@@ -101,6 +101,14 @@ class IdRuleMatcher(object):
             parts = entry.split(":")
             if not parts:
                 return None
+
+            # The first part musth parse as a number, if not, its
+            # not a signature ID expression.
+            try:
+                int(parts[0])
+            except:
+                return None
+
             if len(parts) == 1:
                 try:
                     signatureId = int(parts[0])
@@ -123,6 +131,10 @@ class IdRuleMatcher(object):
                 except:
                     return None
 
+        # If no valid signature IDs were parsed, return None
+        if not matcher.signatureIds:
+            return None
+
         return matcher
 
 
index 07b27fb17b92b9e52ce7abc96c6f167d74fbfa98..6c9bb94cc860935e90384fae802e42c40827d1a8 100644 (file)
@@ -141,3 +141,13 @@ class MetadataMatchTestCase(unittest.TestCase):
         metadata_filter = matchers_mod.MetadataRuleMatch.parse(filter_string)
         self.assertIsNotNone(metadata_filter)
         self.assertTrue(metadata_filter.match(rule))
+
+class ReRuleMatcherTestCase(unittest.TestCase):
+
+    def test_parse_enable_conf_expression(self):
+        """Test regular expression matcher with multiple ':'.
+        Ticket: https://redmine.openinfosecfoundation.org/issues/7922
+        """
+        expression = r're:^.+\(msg:\"(ET|ETPRO)\s+(CURRENT|MALWARE|MOBILE_MALWARE|TROJAN|CNC|ACTIVEX|WORM|NETBIOS|USER_AGENTS).+\s+sid:\s?(?!(2026850|2809199);).*$'
+        matcher = matchers_mod.parse_rule_match(expression)
+        self.assertEqual(matcher.__class__, matchers_mod.ReRuleMatcher)