Project

General

Profile

Actions

Bug #2252

closed

Rule parses in 4.0 when flow to client is set and http_client_body is used.

Added by Bendik Hagen about 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This rule parses in 4.0, but does not in 3.2:
alert http any any -> $HOME_NET any (msg:"Test rule"; flow:established,to_client; pcre:"/test/iP"; sid:10; rev:1;)

This is the error when running this in 3.2.3:
25/10/2017 -- 10:32:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - can't use uricontent /http_uri , raw_uri, http_client_body, http_method, http_user_agent keywords with flow:to_client or flow:from_server
25/10/2017 -- 10:32:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"Test rule"; flow:established,to_client; pcre:"/test/iP"; sid:10; rev:1;)" from file hjemmebakt.rules at line 6

Actions #1

Updated by Andreas Herz about 7 years ago

  • Assignee set to OISF Dev
  • Target version set to TBD
Actions #2

Updated by Victor Julien about 7 years ago

  • Status changed from New to Assigned
  • Assignee changed from OISF Dev to Victor Julien
Actions #3

Updated by Victor Julien over 6 years ago

  • Status changed from Assigned to Closed
  • Target version changed from TBD to 4.1beta1
Actions

Also available in: Atom PDF