Feature #5973: warn when HTTP rules will only work for a specific version of HTTP - Suricata - Open Information Security Foundation

Actions

Copy link

Feature #5973

open

warn when HTTP rules will only work for a specific version of HTTP

Added by Brandon Murphy over 1 year ago. Updated 12 months ago.

Status:

New

Priority:

Normal

Assignee:

OISF Dev

Target version:

8.0.0-beta1

Effort:

Difficulty:

Label:

Description

As a rule writer, I'd like to be warned should if a rule only supports certain versions of HTTP due to use of keywords which only support certain HTTP versions.

This feature was mentioned within https://github.com/OISF/suricata/pull/8670

Should we warn on a rule alert http that is only for HTTP1 or HTTP2 based on its keywords ?

I see no reason to not warn on this condition and as such am formally requesting it.

Side Note:
I could see some other use cases such as warning when nocase isn't applied to http.header_names, http.header, etc. Though perhaps those use cases are not good fits for the engine to identify.

History
Notes
Property changes

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Feature #5973

warn when HTTP rules will only work for a specific version of HTTP

Updated by Victor Julien over 1 year ago

Updated by Philippe Antoine 12 months ago

Updated by Brandon Murphy 12 months ago