Project

General

Profile

Actions
Copy link

Bug #5177

open

detect/engine-analyzer: rule analyzer warns about http buffers usage/replacement even when using new keyword

Added by Juliana Fajardini Reichow over 2 years ago. Updated 10 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
8.0.0-beta1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Currently, a rule like:

"alert http any any -> any any (http.request_line; content:\"GET /index.html HTTP/1.0\"; sid:61;)"

Will still generate the warning that should be used only when outdated HTTP keywords are used:
"pattern looks like it inspects HTTP, use http.request_line or http.method and http.uri instead for improved performance"

Expected behavior:
The warning should only be triggered if the rule still uses the corresponding legacy content modifier.

Related issues 1 (1 open0 closed)

Copied to Suricata - Bug #6418: detect/engine-analyzer: rule parser error uses outdated bufferNewOISF DevActions
Actions
Copy link

Also available in: Atom PDF