Actions
Feature #5746
closedhttp.connection - allow in server response
Effort:
Difficulty:
Label:
Description
Currently when using http.connection in combination with "to_client" produces the following error
Problem starting Suricata daemon: 7/12/2022 -- 19:57:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 1 mixes keywords with conflicting directions
however, for whatever reason, the connection header is often observed in the HTTP Server Response.
This limitation forces the use of http.header to match on the Connection header instead of using the more specific buffer.
Files
Updated by Victor Julien about 2 years ago
Can you share a pcap / SV test for a connection with connection header in to client direction?
Updated by Brandon Murphy about 2 years ago
You betcha! Attached is a pcap of a wget to a benign site which exhibits this same behavior.
Updated by Victor Julien almost 2 years ago
- Status changed from New to Assigned
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 7.0.0-rc2
Updated by Philippe Antoine almost 2 years ago
- Status changed from Assigned to In Review
https://github.com/OISF/suricata/pull/8644
Tested non out.pcap with alert tcp any any -> any any (msg:"tfo test15"; flow: to_client; http.connection; content:"close"; sid:15;)
Updated by Victor Julien over 1 year ago
- Status changed from In Review to Closed
Actions