Bug #1826
Updated by Victor Julien over 8 years ago
<pre> Relative keywords cannot be used around a "fast_pattern:only" context and the Suricata rule validation checks for this. However, there are cases where this validation doesn't recognize that the relative keywords apply to a particular buffer (e.g. "http_*") and are not invalid. Take this rule for example: <pre> alert http any any -> any any (msg:"Rule validation issue - ERROR"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; distance:3; http_uri; sid:1234;) </pre> It will produce the following error: <pre> <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - previous keyword has a fast_pattern:only; set. Can't have relative keywords around a fast_pattern only content </pre> But if you move the "http_*" modifier to before the distance/within modifier(s), it works: <pre> alert http any any -> any any (msg:"Rule validation issue - NO_ERROR"; content:"whatever"; fast_pattern:only; content:"ABC"; http_uri; content:"123"; http_uri; distance:3; sid:1234;) </pre> The issue is with rule validation only and doesn't affect detection. </pre>