Semicolons must be escaped in `content`/`msg` keyword values

[satta]

Many rules currently do not load correctly. Example:

alert http $HOME_NET any -> any any (msg:"AT related malicious URL (docs .google .com/presentation/d/e/2PACX-1vQymD2YQ2XtV4aPhuvSAvfBizi64P2_FaaFy3Xr_Xzp_E9qY9w-oX4dd5OEL2kcp_IQNuPE4XJVEgpk/pub?start=false&loop=false&delayms=30)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/presentation/d/e/2PACX-1vQymD2YQ2XtV4aPhuvSAvfBizi64P2_FaaFy3Xr_Xzp_E9qY9w-oX4dd5OEL2kcp_IQNuPE4XJVEgpk/pub?start=false&loop=false&delayms=300"; startswith; fast_pattern; http.host; bsize:16; content:"docs.google.com"; reference:url,phishstats.info; reference:url,github.com/julioliraup/Antiphishing; classtype:social-engineering; sid:6000018; rev:1; metadata: signature_severity Major, created_et 2024_06_22;)

causes

Notice: suricata: This is Suricata version 8.0.0-dev (625639140 2024-06-18) running in SYSTEM mode [LogVersion:suricata.c:1157]
...
Error: detect-parse: bad option value formatting (possible missing semicolon) for keyword msg: '"AT related malicious URL (docs .google .com/presentation/d/e/2PACX-1vQymD2YQ2XtV4aPhuvSAvfBizi64P2_FaaFy3Xr_Xzp_E9qY9w-oX4dd5OEL2kcp_IQNuPE4XJVEgpk/pub?start=false&amp' [SigParseOptions:detect-parse.c:987]
Error: detect: error parsing signature "alert http $HOME_NET any -> any any (msg:"AT related malicious URL (docs .google .com/presentation/d/e/2PACX-1vQymD2YQ2XtV4aPhuvSAvfBizi64P2_FaaFy3Xr_Xzp_E9qY9w-oX4dd5OEL2kcp_IQNuPE4XJVEgpk/pub?start=false&loop=false&delayms=30)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/presentation/d/e/2PACX-1vQymD2YQ2XtV4aPhuvSAvfBizi64P2_FaaFy3Xr_Xzp_E9qY9w-oX4dd5OEL2kcp_IQNuPE4XJVEgpk/pub?start=false&loop=false&delayms=300"; startswith; fast_pattern; http.host; bsize:16; content:"docs.google.com"; reference:url,phishstats.info; reference:url,github.com/julioliraup/Antiphishing; classtype:social-engineering; sid:6000018; rev:1; metadata: signature_severity Major, created_et 2024_06_22;)" from file 1.rules at line 1 [DetectLoadSigFile:detect-engine-loader.c:182]
Warning: detect: 1 rule files specified, but no rules were loaded! [SigLoadSignatures:detect-engine-loader.c:358]
Error: suricata: Loading signatures failed. [LoadSignatures:suricata.c:2421]

This is because the semicolon (;) is present in the content and msg keyword values, which should be escaped using |3b|:

alert http $HOME_NET any -> any any (msg:"AT related malicious URL (docs .google .com/presentation/d/e/2PACX-1vQymD2YQ2XtV4aPhuvSAvfBizi64P2_FaaFy3Xr_Xzp_E9qY9w-oX4dd5OEL2kcp_IQNuPE4XJVEgpk/pub?start=false&amp|3b|loop=false&amp|3b|delayms=30)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/presentation/d/e/2PACX-1vQymD2YQ2XtV4aPhuvSAvfBizi64P2_FaaFy3Xr_Xzp_E9qY9w-oX4dd5OEL2kcp_IQNuPE4XJVEgpk/pub?start=false&amp|3b|loop=false&amp|3b|delayms=300"; startswith; fast_pattern; http.host; bsize:16; content:"docs.google.com"; reference:url,phishstats.info; reference:url,github.com/julioliraup/Antiphishing; classtype:social-engineering; sid:6000018; rev:1; metadata: signature_severity Major, created_et 2024_06_22;)

Then the rule loads correctly:

Notice: suricata: This is Suricata version 8.0.0-dev (625639140 2024-06-18) running in SYSTEM mode [LogVersion:suricata.c:1157]
...
Info: detect: 1 rule files processed. 1 rules successfully loaded, 0 rules failed, 0 rules skipped [SigLoadSignatures:detect-engine-loader.c:373]
Info: threshold-config: Threshold config parsed: 0 rule(s) found [SCThresholdConfParseFile:util-threshold-config.c:1008]
Info: detect: 1 signatures processed. 0 are IP-only rules, 0 are inspecting packet payload, 1 inspect application layer, 0 are decoder event only [SigPrepareStage1:detect-engine-build.c:1860]
Notice: suricata: Configuration provided was successfully loaded. Exiting. [SuricataInit:suricata.c:2967]

Please make sure in the rule generator that the escaping is done correctly before writing the rules into a file. It could also make sense to test the rules in a CI here.