Skip to content

Commit

Permalink
detect/content: Message for escaping backslash
Browse files Browse the repository at this point in the history 
So far, if the rule loaded had a backslash character ("\") in its
content field, the rule will fail to load but without giving a
descriptive error message. This patch tells the user to escape the
troubling character.

Before
```
9409] 7/6/2019 -- 16:12:22 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Backslash needs escaping msg"; flow:established,to_server; content:"MyBackslash\here"; sid:86; rev:1; )" from file /var/lib/suricata/rules/myrule.rules at line 1
```

After
```
[9409] 7/6/2019 -- 16:12:22 - (detect-content.c:155) <Error> (DetectContentDataParse) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - '\' has to be escaped
[9409] 7/6/2019 -- 16:12:22 - (detect-engine-loader.c:184) <Error> (DetectLoadSigFile) -- [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Backslash needs escaping msg"; flow:established,to_server; content:"MyBackslash\here"; sid:86; rev:1; )" from file /var/lib/suricata/rules/myrule.rules at line 1
```

Closes redmine ticket OISF#2626
  • Loading branch information
@inashivb @victorjulien
inashivb authored and victorjulien committed Jun 17, 2019
1 parent 30fd80b commit 7c7e044
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/detect-content.c
View file
Expand Up @@ -152,7 +152,7 @@ int DetectContentDataParse(const char *keyword, const char *contentstr,
str[x] = str[i];
x++;
} else {
//SCLogDebug("Can't escape %c", str[i]);
SCLogError(SC_ERR_INVALID_SIGNATURE, "'%c' has to be escaped", str[i-1]);
goto error;
}
escape = 0;
Expand Down

0 comments on commit 7c7e044

Please sign in to comment.