git.ipfire.org Git - thirdparty/suricata.git/commit

author	Jeff Lucovsky <jlucovsky@oisf.net>
	Tue, 17 Dec 2024 12:56:42 +0000 (07:56 -0500)
committer	Victor Julien <victor@inliniac.net>
	Thu, 5 Jun 2025 17:14:32 +0000 (19:14 +0200)
commit	ace0d3763674a8dc624ad1f1744ea7442cd86d43
tree	d6aca79e736eb2ceba072535e3b4e7122ce77ec7	tree
parent	5dcd0a36f900c60affb39d9bd1dae3ebbc0c73e0	commit \| diff

detect/content: account for distance variables

Under some cases (below), the depth and offset values are used
twice. This commit disregards the distance variable (if any), when
computing the final depth.

These rules are logically equivalent::
1. alert tcp any any -> any 8080 (msg:"distance name"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:option_len; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:1;)
2. alert tcp any any -> any 8080 (msg:"distance number"; flow:to_server; content:"Authorization:"; content:"5f71ycy"; distance:0; byte_extract:1,0,option_len,string,relative; content:!"|38|"; distance:7; within:1; content:"|37|"; distance:-1; within:1; content:"|49|"; distance:option_len; within:1; sid:2;)

The differences:
Rule 1: content:!"|38|"; distance:option_len; within:1; //option_len == 7

Rule 2: content:!"|38|"; distance:7; within:1;

Without this commit, rule 2 triggers an alert but rule 1 doesn't.

Issue: 7390

src/detect-content.c		diff \| blob \| blame \| history
src/detect-engine-content-inspection.c		diff \| blob \| blame \| history