Feature #4381: flowbits: warn if flowbit dependencies don't follow suricata inspection order - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #4381

open

Task #4380: tracking: improvements to bits, ints, vars

flowbits: warn if flowbit dependencies don't follow suricata inspection order

Added by Victor Julien over 3 years ago. Updated over 1 year ago.

Status:

New

Priority:

Normal

Assignee:

Community Ticket

Target version:

TBD

Effort:

Difficulty:

Label:

Description

Consider 2 rules:

file.data; content:"abc"; flowbit:set,bit1;
http.uri; content:"xyz"; flowbit:isset,bit1;

The first rule will be evaluated last because it is part of the response. We should warn here.

Consider 2 rules:

http.request_body; content:"abc"; flowbit:set,bit1;
http.uri; content:"xyz"; flowbit:isset,bit1;

The first rule will be evaluated last because it happens later in the stream. We should warn here. We can look at the max "progress value" associated with a buffer perhaps.

Actions

Copy link

Updated by Philippe Antoine over 1 year ago

Assignee set to Community Ticket

Are we already warning if we have flowbit:isset,bit1; but no rules set this flowbit ?

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #4381

flowbits: warn if flowbit dependencies don't follow suricata inspection order

Updated by Philippe Antoine over 1 year ago