Actions
Bug #2882
closedhttp keyword rule regression for bi-directional rules
Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:
Description
in Suricata 4.0.4 (from EPEL RPM), I was able to correctly alert on the following rule:
alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)
However, with Suricata 4.1.2, I get an error
error parsing signature "alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)" from file ex2.rules at line 3 rule 7 mixes keywords with conflicting directions
I'm not sure if this was a purposeful change or a regression. Scanning [[https://github.com/OISF/suricata/blob/master/ChangeLog]], nothing specific jumped out at me to suggest this was an intended change.
Updated by Victor Julien over 5 years ago
This was never supported. The only change in 4.1 is that the rule parser became stricter. In previous versions such rules may have worked by luck or by skipping certain conditions in their checks.
Updated by Andreas Herz over 5 years ago
- Assignee set to Derek Ditch
- Target version set to Support
Do you need more feedback on that or is the response from Victor helpful?
If yes please close the issue :)
Updated by Victor Julien over 5 years ago
- Status changed from New to Closed
- Assignee deleted (
Derek Ditch) - Target version deleted (
Support)
Actions