git.ipfire.org Git - thirdparty/suricata.git/commit

author	Jeff Lucovsky <jlucovsky@oisf.net>
	Tue, 17 Dec 2024 12:56:42 +0000 (07:56 -0500)
committer	Victor Julien <victor@inliniac.net>
	Fri, 13 Jun 2025 18:03:40 +0000 (20:03 +0200)
commit	f3b544eec887127592e2dd481741e95960b9f546
tree	46449361a8be436ccacf5107f522542b8cbfb2bb	tree
parent	b027350efc78d6ae7af1bf926115176ca6323257	commit \| diff

detect/content: account for distance variables

Under some cases (below), the depth and offset values are used
twice. This commit disregards the distance variable (if any), when
computing the final depth.

These rules are logically equivalent::
1. alert tcp any any -> any 8080 (msg:"distance name"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:option_len; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:1;)
2. alert tcp any any -> any 8080 (msg:"distance number"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:7; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:2;)

The differences:
Rule 1: content:!"|38|"; distance:option_len; within:1; //option_len == 7

Rule 2: content:!"|38|"; distance:7; within:1;

Without this commit, rule 2 triggers an alert but rule 1 doesn't.

Issue: 7390
(cherry picked from commit ace0d3763674a8dc624ad1f1744ea7442cd86d43)

src/detect-content.c		diff \| blob \| blame \| history
src/detect-engine-content-inspection.c		diff \| blob \| blame \| history