search

jasonish / py-idstools

idstools: Snort and Suricata Rule and Event Utilities in Python (Including a Rule Update Tool)
Other
276 stars 85 forks source link

Bug: semicolon in rule message #50

Closed sevdog closed 7 years ago

sevdog commented 7 years ago

If a semicolon (;) is present (escaped, obviously) in the rule msg option the parser gets confused.

Example:

$ my_ryle = '''alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"example of semicolon\; usage here"; classtype:trojan-activity; sid:9999; rev:1;)'''
$ parsed_rule = rule.parse(my_rule)
$ print parsed_rule.msg
'"example of semicolon\\'
$ print parsed_rule.options
[{'name': 'msg', 'value': '"example of semicolon\\'}, {'name': 'usage here"', 'value': None}, {'name': 'classtype', 'value': 'trojan-activity'}, {'name': 'sid', 'value': '9999'}, {'name': 'rev', 'value': '1'}]

Some rules (ETPRO) really use semicolon in the msg option.

jasonish commented 7 years ago

Thought I had fixed this, but a quick tests shows its not! Will do soon.

jasonish commented 7 years ago

Fixed in master.