Bug #2882: http keyword rule regression for bi-directional rules - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2882

closed

http keyword rule regression for bi-directional rules

Added by Derek Ditch over 5 years ago. Updated over 5 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Target version:

Affected Versions:

4.1.2

Effort:

Difficulty:

Label:

Description

in Suricata 4.0.4 (from EPEL RPM), I was able to correctly alert on the following rule:

alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)

However, with Suricata 4.1.2, I get an error

error parsing signature "alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)" from file ex2.rules at line 3
rule 7 mixes keywords with conflicting directions

I'm not sure if this was a purposeful change or a regression. Scanning [[https://github.com/OISF/suricata/blob/master/ChangeLog]], nothing specific jumped out at me to suggest this was an intended change.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #2882

http keyword rule regression for bi-directional rules

Updated by Victor Julien over 5 years ago

Updated by Andreas Herz over 5 years ago

Updated by Victor Julien over 5 years ago