-
-
Notifications
You must be signed in to change notification settings - Fork 67
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mismatch in handling of unescaped backslashes #177
Comments
Re-add '\' when found to not be escaping a double quote. GitHub issue: #177
The commit reference above fixes this issue, it was in the quote stripping. However, as discussed in #176, not stripping the quotes at all fixes this issue. However, a function to strip quotes would still be a useful utility method, so will fix this. |
Hello Thanks for the super-fast fix. But as I'm looking at the code, it seems https://suricata.readthedocs.io/en/suricata-6.0.0/rules/intro.html#rule-options Hopefully, that's all of them. |
This should already happen in |
Closing. Fixed with 0b63979. |
Hello
It seems the rust parser and suricata behaves differently when presented with backslashes in rule option values that are not escaped. Suricata seems to preserve them, while the evebox-suricata-rule-parser strips them.
This often leads to damaging
pcre
options, as they often contain backslashes that are significant for the regex itself. One that's in the example in the documentation: https://suricata.readthedocs.io/en/suricata-6.0.0/rules/payload-keywords.html?highlight=pcre#pcre-perl-compatible-regular-expressions:pcre: "/^/index\.html/$/U"
. Apparently, the\.
is meant to match literal dot and not any character.This is how it gets parsed:
The text was updated successfully, but these errors were encountered: