From ca28739a397b1abb1caf2761c706658b51c9497e Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Tue, 30 Sep 2025 15:57:17 -0600 Subject: [PATCH] matchers: fix regular expression matching A regular express with multiple ':' was accidentally being parsed as an ID matcher. Making ID matching more strict. Ticket: https://redmine.openinfosecfoundation.org/issues/7922 --- suricata/update/matchers.py | 12 ++++++++++++ tests/test_matchers.py | 10 ++++++++++ 2 files changed, 22 insertions(+) diff --git a/suricata/update/matchers.py b/suricata/update/matchers.py index 4717830..39f7d35 100644 --- a/suricata/update/matchers.py +++ b/suricata/update/matchers.py @@ -101,6 +101,14 @@ class IdRuleMatcher(object): parts = entry.split(":") if not parts: return None + + # The first part musth parse as a number, if not, its + # not a signature ID expression. + try: + int(parts[0]) + except: + return None + if len(parts) == 1: try: signatureId = int(parts[0]) @@ -123,6 +131,10 @@ class IdRuleMatcher(object): except: return None + # If no valid signature IDs were parsed, return None + if not matcher.signatureIds: + return None + return matcher diff --git a/tests/test_matchers.py b/tests/test_matchers.py index 07b27fb..6c9bb94 100644 --- a/tests/test_matchers.py +++ b/tests/test_matchers.py @@ -141,3 +141,13 @@ class MetadataMatchTestCase(unittest.TestCase): metadata_filter = matchers_mod.MetadataRuleMatch.parse(filter_string) self.assertIsNotNone(metadata_filter) self.assertTrue(metadata_filter.match(rule)) + +class ReRuleMatcherTestCase(unittest.TestCase): + + def test_parse_enable_conf_expression(self): + """Test regular expression matcher with multiple ':'. + Ticket: https://redmine.openinfosecfoundation.org/issues/7922 + """ + expression = r're:^.+\(msg:\"(ET|ETPRO)\s+(CURRENT|MALWARE|MOBILE_MALWARE|TROJAN|CNC|ACTIVEX|WORM|NETBIOS|USER_AGENTS).+\s+sid:\s?(?!(2026850|2809199);).*$' + matcher = matchers_mod.parse_rule_match(expression) + self.assertEqual(matcher.__class__, matchers_mod.ReRuleMatcher) -- 2.47.3