Bug #2252: Rule parses in 4.0 when flow to client is set and http_client_body is used. - Suricata - Open Information Security Foundation

Actions

Copy link

Bug #2252

closed

Rule parses in 4.0 when flow to client is set and http_client_body is used.

Added by Bendik Hagen over 6 years ago. Updated about 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Victor Julien

Target version:

4.1beta1

Affected Versions:

Effort:

Difficulty:

Label:

Description

This rule parses in 4.0, but does not in 3.2:
alert http any any -> $HOME_NET any (msg:"Test rule"; flow:established,to_client; pcre:"/test/iP"; sid:10; rev:1;)

This is the error when running this in 3.2.3:
25/10/2017 -- 10:32:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - can't use uricontent /http_uri , raw_uri, http_client_body, http_method, http_user_agent keywords with flow:to_client or flow:from_server
25/10/2017 -- 10:32:05 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert http any any -> $HOME_NET any (msg:"Test rule"; flow:established,to_client; pcre:"/test/iP"; sid:10; rev:1;)" from file hjemmebakt.rules at line 6

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Suricata

Custom queries

Bug #2252

Rule parses in 4.0 when flow to client is set and http_client_body is used.

Updated by Andreas Herz over 6 years ago

Updated by Victor Julien over 6 years ago

Updated by Victor Julien about 6 years ago