Suricata

Backport bug #1481 to 2.0.x.

I'm not sure if this is a bug or feature request so please feel free to reclassify if necessary.

Apparently, leading whitespace in flowbits variable names matters. If you set a flowbit like this: 'flowbits:set, jpg.cats;', the check has to include the leading whitespace for it to work: 'flowbits:isset, jpg.cats;'. Checking it like this will NOT work in Suricata (but will in Snort since Snort ignores leading whitespace in the name of flowbits variables): 'flowbits:isset,jpg.cats;'. Trailing whitespace is ignored in Suricata and Snort.

I can see this being an issue for people converting Snort rules to Suricata. (As an aside, the EmergingThreats Suricata ruleset does not uses spaces before the flowbits variable names so this is a non-issue for that ruleset.) I think leading whitespace in flowbits variable names should be ignored.