From: Eric Leblond <eric@regit.org>
Date: Mon, 18 Feb 2019 21:31:26 +0000 (+0100)
Subject: detect-flowbits: error on some invalid syntax
X-Git-Tag: suricata-5.0.0-beta1~171
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=910c3691afc4f65ba118458e9f0d939805c80d40;p=thirdparty%2Fsuricata.git

detect-flowbits: error on some invalid syntax

The regular expression was accepting something like
"flowbits:!isset,isma;" without complaining even if it is not
correct and don't have the expected result.
---

diff --git a/src/detect-flowbits.c b/src/detect-flowbits.c
index 23cd2036d3..efb946d66c 100644
--- a/src/detect-flowbits.c
+++ b/src/detect-flowbits.c
@@ -45,7 +45,7 @@
 #include "util-unittest.h"
 #include "util-debug.h"
 
-#define PARSE_REGEX         "([a-z]+)(?:,\\s*(.*))?"
+#define PARSE_REGEX         "^([a-z]+)(?:,\\s*(.*))?"
 static pcre *parse_regex;
 static pcre_extra *parse_regex_study;
 
@@ -769,6 +769,9 @@ static int FlowBitsTestSig02(void)
     s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"toggle rule need an option\"; flowbits:toggle; content:\"GET \"; sid:5;)");
     FAIL_IF_NOT_NULL(s);
 
+    s = de_ctx->sig_list = SigInit(de_ctx,"alert ip any any -> any any (msg:\"!set is not an option\"; flowbits:!set,myerr; content:\"GET \"; sid:6;)");
+    FAIL_IF_NOT_NULL(s);
+
     SigGroupBuild(de_ctx);
     DetectEngineCtxFree(de_ctx);