Project

General

Profile

Actions

Bug #2522

closed

The cross-effects of rules on each other, without the use of flowbits.

Added by Jane Ostin over 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

There is an opportunity to influence the operation of one rule by another, even if they are not unified by flowbits. This happens if the signature is affected, use both http and tcp buffers, and in the signature of which we will act, use the stream.
An eerie action at a distance stops, if in the signature of which we manage add "no_stream". Or, place all checks in the managed signature in the http buffers.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "test1";
flow: established, to_server;  
content: "Accept-Encoding: identity";                       <- place here "http_header" for disable effect
content: "data="; http_client_body; depth:5;  
classtype: misc-activity; sid: 1; rev: 1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "test2";
flow: established, to_server;                               <- or place here "no_stream" 
content: "|6c55554503104840|"; offset:4;depth:8;
classtype: misc-activity; sid: 2; rev: 1;)

Pcap in attachment.
This is Suricata version 4.1.0-beta1 RELEASE


Files


Related issues 1 (0 open1 closed)

Related to Suricata - Bug #3190: file_data inspection inhibited by additional (non-file_data) content match ruleClosedVictor JulienActions
Actions

Also available in: Atom PDF