From: Jason Ish Date: Tue, 30 Sep 2025 21:57:17 +0000 (-0600) Subject: matchers: fix regular expression matching X-Git-Tag: 1.3.7~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F363%2Fhead;p=thirdparty%2Fsuricata-update.git matchers: fix regular expression matching A regular express with multiple ':' was accidentally being parsed as an ID matcher. Making ID matching more strict. Ticket: https://redmine.openinfosecfoundation.org/issues/7922 --- diff --git a/suricata/update/matchers.py b/suricata/update/matchers.py index 4717830..39f7d35 100644 --- a/suricata/update/matchers.py +++ b/suricata/update/matchers.py @@ -101,6 +101,14 @@ class IdRuleMatcher(object): parts = entry.split(":") if not parts: return None + + # The first part musth parse as a number, if not, its + # not a signature ID expression. + try: + int(parts[0]) + except: + return None + if len(parts) == 1: try: signatureId = int(parts[0]) @@ -123,6 +131,10 @@ class IdRuleMatcher(object): except: return None + # If no valid signature IDs were parsed, return None + if not matcher.signatureIds: + return None + return matcher diff --git a/tests/test_matchers.py b/tests/test_matchers.py index 07b27fb..6c9bb94 100644 --- a/tests/test_matchers.py +++ b/tests/test_matchers.py @@ -141,3 +141,13 @@ class MetadataMatchTestCase(unittest.TestCase): metadata_filter = matchers_mod.MetadataRuleMatch.parse(filter_string) self.assertIsNotNone(metadata_filter) self.assertTrue(metadata_filter.match(rule)) + +class ReRuleMatcherTestCase(unittest.TestCase): + + def test_parse_enable_conf_expression(self): + """Test regular expression matcher with multiple ':'. + Ticket: https://redmine.openinfosecfoundation.org/issues/7922 + """ + expression = r're:^.+\(msg:\"(ET|ETPRO)\s+(CURRENT|MALWARE|MOBILE_MALWARE|TROJAN|CNC|ACTIVEX|WORM|NETBIOS|USER_AGENTS).+\s+sid:\s?(?!(2026850|2809199);).*$' + matcher = matchers_mod.parse_rule_match(expression) + self.assertEqual(matcher.__class__, matchers_mod.ReRuleMatcher)