Bug #2605
closed
engine-analysis warning on PCRE
Added by Peter Manev over 5 years ago.
Updated about 5 years ago.
Description
Using sid: 2830193 with the current gitmaster with "--engine-analysis" - we have this warning on PCRE
Rule matches on http uri buffer.
App layer protocol is http.
Rule contains 0 content options, 6 http content options, 1 pcre
options, and 0 pcre options with http modifiers.
Fast Pattern "/wpapi/" on "http request uri (http_uri)" buffer.
Warning: Rule uses content options with http_* and pcre options
without http modifiers.
-Consider adding http pcre modifier.
Consider PCRE on http buffer
In that case then it seems the warning here is not related as the PCRE is in the sticky buffer (request line).
another example:
alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns_query; content:".core.windows.net"; isdataat:!1,relative; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; content:!"onedriveclubproddm20007.blob.core.windows.net"; metadata: former_category POLICY; classtype:policy-violation; sid:2026486; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_10_15, updated_at 2018_10_16;)
App layer protocol is dns.
Rule contains 0 content options, 0 http content options, 1 pcre options, and 0 pcre options with http modifiers.
Fast Pattern ".core.windows.net" on "dns request query (dns_query)" buffer.
Warning: Rule uses pcre without a content option present.
-Consider adding a content to improve performance of this rule.
Warning: TCP rule without a flow or flags option.
-Consider adding flow or flags to improve performance of this rule.
another example on sid 2834428 using 4.1.0-dev (rev b51e4a3):
App layer protocol is tls.
Rule contains 0 content options, 0 http content options, 1 pcre options, and 0 pcre options with http modifiers.
Fast Pattern "blablablalalal" on "TLS Server Name Indication (SNI) extension (tls_sni)" buffer.
Warning: Rule uses pcre without a content option present.
-Consider adding a content to improve performance of this rule.
But tls_sni is sticky buffer - https://suricata.readthedocs.io/en/latest/rules/tls-keywords.html#tls-sni
Another example with 5.0.0-dev (rev e710b06) , sig 2834668
- Status changed from New to Assigned
- Assignee set to Jeff Lucovsky
- Target version set to 70
- Status changed from Assigned to Closed
- Target version changed from 70 to 5.0beta1
Also available in: Atom
PDF