Feature #5746: http.connection - allow in server response - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #5746

closed

http.connection - allow in server response

Added by Brandon Murphy almost 2 years ago. Updated over 1 year ago.

Status:

Closed

Priority:

Normal

Assignee:

Philippe Antoine

Target version:

7.0.0-rc2

Effort:

Difficulty:

Label:

Description

Currently when using http.connection in combination with "to_client" produces the following error

Problem starting Suricata daemon: 7/12/2022 -- 19:57:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 1 mixes keywords with conflicting directions

however, for whatever reason, the connection header is often observed in the HTTP Server Response.

This limitation forces the use of http.header to match on the Connection header instead of using the more specific buffer.

Files

out.pcap (1.19 KB) out.pcap

Brandon Murphy, 12/08/2022 03:49 AM

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #5746

http.connection - allow in server response

Updated by Victor Julien almost 2 years ago

Updated by Brandon Murphy almost 2 years ago

Updated by Victor Julien over 1 year ago

Updated by Philippe Antoine over 1 year ago

Updated by Victor Julien over 1 year ago