Skip to content

Failure to catch unclosed semicolon #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jufajardini opened this issue Sep 24, 2024 · 4 comments
Open

Failure to catch unclosed semicolon #11

jufajardini opened this issue Sep 24, 2024 · 4 comments
Assignees
@regit

Comments

@jufajardini
Copy link

The rule below will fail parsing by Suricata update with error (portion with the parsing issue highlighted by me):
bad option value formatting (possible missing semicolon) for keyword content: '!".mozilla.net'

"alert tls $HOME_NET any -> any any (msg:"🐾 - 🚨 Possible Windows Installer or Bitsadmin TLSv1.2 connection to FQDN - T1105"; flow:to_server, stateless; ja3.hash; content:"bd0bf25947d4a37404f0424edf4db9ad"; fast_pattern; tls_sni; content:!"microsoft.com"; endswith; nocase; content:!"live.com"; endswith; nocase; content:!"google.com"; endswith; nocase; content:!".ms"; endswith; nocase; content:!"libreoffice.org"; endswith; nocase; content:!"skype.com"; endswith; nocase; content:!"windows.net"; endswith; nocase; content:!"googleapis.com"; endswith; nocase; content:!"office.com"; endswith; nocase; content:!"azureedge.net"; endswith; nocase; content:!"sophosupd.com"; endswith; nocase; content:!"sophosxl.net"; endswith; nocase; content:!"sophos.com"; endswith; nocase; content:!"office.net"; endswith; nocase; content:!"jive.com"; endswith; nocase; content:!"adobe.com"; endswith; nocase; content:!"avast.com"; endswith; nocase; content:!"mozilla.org"; endswith; nocase; content:!".microsoft"; nocase; endswith; content:!".gvt1.com"; nocase; endswith; content:!".msedge.net"; nocase; endswith; content:!".msn.com"; nocase; endswith; content:!".microsoftonline.com"; nocase; endswith; content:!".windows.com"; nocase; endswith; content:!".bing.com"; nocase; endswith; content:!".mozilla.net; nocase; endswith; reference:url,https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/#download; reference:url,https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/#download; reference:url,https://www.senseon.io/resource/resurgent-usb-malware-battling-raspberry-robin/; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer, created_at 2023_05_18, updated_at 2024_09_05; sid:3300209; rev:18; classtype:policy-violation;)"

I was made aware of this through https://forum.suricata.io/t/bad-option-value-formatting-possible-missing-semicolon-for-keyword-content/4865 and when I reached out to the Paw Patrules maintainer, they mentioned that probably the Suricata language server didn't catch those, so decided to register this issue.

Is it possible that in some cases the language server is failing to catch the unclosed semicolon?

Related issue with the Paw Patrules rules set:
woundride/pawpatrules#2
@jufajardini jufajardini changed the title Failured to catch unclosed semicolon Failure to catch unclosed semicolon Sep 25, 2024
@regit
Copy link
Member

regit commented Nov 28, 2024
edited
Loading

Sorry for the delay, I confirm the issue. Suricata -T is detecting the problem but it is ignored by SLS.

suricata -l /tmp -T -S pawpatrules.rules 
{"timestamp":"2024-11-28T22:38:20.799554+0100","log_level":"Notice","event_type":"engine","engine":{"message":"This is Suricata version 8.0.0-dev (7bb86a15f7 2024-11-28) running in SYSTEM mode","thread_name":"Suricata-Main","module":"suricata"}}
{"timestamp":"2024-11-28T22:38:20.864329+0100","log_level":"Warning","event_type":"engine","engine":{"message":"eve module 'ikev2' has been replaced by 'ike'","thread_name":"Suricata-Main","module":"runmodes"}}
{"timestamp":"2024-11-28T22:38:20.876879+0100","log_level":"Error","event_type":"engine","engine":{"message":"bad option value formatting (possible missing semicolon) for keyword content: '!\".mozilla.net'","thread_name":"Suricata-Main","module":"detect-parse"}}
{"timestamp":"2024-11-28T22:38:20.876935+0100","log_level":"Error","event_type":"engine","engine":{"message":"error parsing signature \"alert tls $HOME_NET any -> any any (msg:\"🐾 - 🚨 Possible Windows Installer or Bitsadmin TLSv1.2 connection to FQDN - T1105\"; flow:to_server, stateless; ja3.hash; content:\"bd0bf25947d4a37404f0424edf4db9ad\"; fast_pattern; tls_sni; content:!\"microsoft.com\"; endswith; nocase; content:!\"live.com\"; endswith; nocase; content:!\"google.com\"; endswith; nocase; content:!\".ms\"; endswith; nocase; content:!\"libreoffice.org\"; endswith; nocase; content:!\"skype.com\"; endswith; nocase; content:!\"windows.net\"; endswith; nocase; content:!\"googleapis.com\"; endswith; nocase; content:!\"office.com\"; endswith; nocase; content:!\"azureedge.net\"; endswith; nocase; content:!\"sophosupd.com\"; endswith; nocase; content:!\"sophosxl.net\"; endswith; nocase; content:!\"sophos.com\"; endswith; nocase; content:!\"office.net\"; endswith; nocase; content:!\"jive.com\"; endswith; nocase; content:!\"adobe.com\"; endswith; nocase; content:!\"avast.com\"; endswith; nocase; content:!\"mozilla.org\"; endswith; nocase; content:!\".microsoft\"; nocase; endswith; content:!\".gvt1.com\"; nocase; endswith; content:!\".msedge.net\"; nocase; endswith; content:!\".msn.com\"; nocase; endswith; content:!\".microsoftonline.com\"; nocase; endswith; content:!\".windows.com\"; nocase; endswith; content:!\".bing.com\"; nocase; endswith; content:!\".mozilla.net; nocase; endswith; reference:url,https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/#download; reference:url,https://lolbas-project.github.io/lolbas/Binaries/AppInstaller/#download; reference:url,https://www.senseon.io/resource/resurgent-usb-malware-battling-raspberry-robin/; target:src_ip; metadata:attack_target Client_and_Server, signature_severity Major, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Trans
{"timestamp":"2024-11-28T22:38:20.877090+0100","log_level":"Warning","event_type":"engine","engine":{"message":"1 rule files specified, but no rules were loaded!","thread_name":"Suricata-Main","module":"detect"}}
{"timestamp":"2024-11-28T22:38:20.877192+0100","log_level":"Error","event_type":"engine","engine":{"message":"Loading signatures failed.","thread_name":"Suricata-Main","module":"suricata"}}

@regit regit self-assigned this Nov 28, 2024
@regit
Copy link
Member

regit commented Nov 28, 2024

OK, looks like it is a suricata bug :)

@regit
Copy link
Member

regit commented Nov 28, 2024

Suricata bug opened https://redmine.openinfosecfoundation.org/issues/7419

@jufajardini
Copy link
Author

OK, looks like it is a suricata bug :)

When the bug report backfires xD Thanks for submitting the report! :)

regit pushed a commit to regit/suricata-language-server that referenced this issue Jan 16, 2025
@sonicold
tests_rules: fix backtrace when no rules to analyze is valid
b19493a 
Ref: StamusNetworks#11
* add 2 common variables on suricata conf
* does not open "rules.json" is it does not exist
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@regit regit

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@regit @jufajardini