Errors parsing network info

[danielpoliakov]

Hi,

refering to network examples in these sections of docs:

• IPs
• ports

---

Negated lists

s := `alert tcp any any -> any ![80,443,9000] (msg:"test"; content:"123"; sid:1; rev:1;)`
r, _ := gonids.ParseRule(s)
fmt.Println(r)

outputs

alert tcp any any -> any [![80,443,9000] (msg:"test"; content:"123"; sid:1; rev:1;)

and

s := `alert tcp any any -> ![1.1.1.1,1.1.1.2] any (msg:"test"; content:"123"; sid:1; rev:1;)`
r, _ := gonids.ParseRule(s)
fmt.Println(r)

outputs

alert tcp any any -> [![1.1.1.1,1.1.1.2] any (msg:"test"; content:"123"; sid:1; rev:1;)

which is invalid.

---

Spaces in network components

Gonids outputs error when network components contain spaces. Spaces in list of IPs(ranges)/ports are valid based on the examples in docs and my experiments.

s := `alert tcp any any -> [1.1.1.1, 1.1.1.2] any (msg:"test"; content:"123"; sid:1; rev:1;)`

_, err := gonids.ParseRule(s)
if err != nil {
    fmt.Println(err)
}

outputs

network component contains spaces: 1.1.1.2] any

Same it goes for list of ports.

---

Can you please give me any hints where in gonids these issues can be addressed?

[duanehoward]

Hey Daniel, I suspect the bugs will be in the String() functions for the various components. For Network issues, it's likely to be in [0][1]. The String() for a Rule that calls this is at[2]

The error being thrown during parsing of network definitions with spaces is at[3]

[0] https://github.com/google/gonids/blob/197084007ae92b914688f9dd9e6bda5f6525b7e4/rule.go#L665 [1] https://github.com/google/gonids/blob/197084007ae92b914688f9dd9e6bda5f6525b7e4/rule.go#L647 [2] https://github.com/google/gonids/blob/197084007ae92b914688f9dd9e6bda5f6525b7e4/rule.go#L894 [3] https://github.com/google/gonids/blob/197084007ae92b914688f9dd9e6bda5f6525b7e4/parser.go#L420