Project

General

Profile

Actions

Bug #2882

closed

http keyword rule regression for bi-directional rules

Added by Derek Ditch almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

in Suricata 4.0.4 (from EPEL RPM), I was able to correctly alert on the following rule:

alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)

However, with Suricata 4.1.2, I get an error

error parsing signature "alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)" from file ex2.rules at line 3
rule 7 mixes keywords with conflicting directions

I'm not sure if this was a purposeful change or a regression. Scanning [[https://github.com/OISF/suricata/blob/master/ChangeLog]], nothing specific jumped out at me to suggest this was an intended change.

Actions

Also available in: Atom PDF