diff --git a/server/modules/suricata/suricata_test.go b/server/modules/suricata/suricata_test.go index c1eea1de4..a3d8a6bc5 100644 --- a/server/modules/suricata/suricata_test.go +++ b/server/modules/suricata/suricata_test.go @@ -263,7 +263,7 @@ func TestValidate(t *testing.T) { }, { Name: "Parentheses in Unquoted Option", - Input: `alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)`, + Input: `alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET ADWARE_PUP WinSoftware.com Spyware User-Agent (WinSoftware)\\"; flow:to_server,established; http.user_agent; content:"WinSoftware"; nocase; depth:11; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=WinSoftware%20Corporation%2c%20Inc.%20(v)&threatid=90037; reference:url,doc.emergingthreats.net/2003527; classtype:pup-activity; sid:2003527; rev:12; metadata:attack_target Client_Endpoint, created_at 2010_07_30, deployment Perimeter, former_category ADWARE_PUP, signature_severity Minor, tag Spyware_User_Agent, updated_at 2020_10_13;)`, }, { Name: "Unescaped Double Quote in PCRE Option", diff --git a/server/modules/suricata/validate.go b/server/modules/suricata/validate.go index 33ddf0b09..fcb16a752 100644 --- a/server/modules/suricata/validate.go +++ b/server/modules/suricata/validate.go @@ -142,7 +142,7 @@ func ParseSuricataRule(rule string) (*SuricataRule, error) { inQuotes = !inQuotes } } - } else if ch == '\\' { + } else if ch == '\\' && !isEscaping { isEscaping = true buf.WriteRune(ch) } else {