Actions
Bug #2605
closedengine-analysis warning on PCRE
Affected Versions:
Effort:
Difficulty:
Label:
Description
Using sid: 2830193 with the current gitmaster with "--engine-analysis" - we have this warning on PCRE
Rule matches on http uri buffer. App layer protocol is http. Rule contains 0 content options, 6 http content options, 1 pcre options, and 0 pcre options with http modifiers. Fast Pattern "/wpapi/" on "http request uri (http_uri)" buffer. Warning: Rule uses content options with http_* and pcre options without http modifiers. -Consider adding http pcre modifier. Consider PCRE on http buffer
In that case then it seems the warning here is not related as the PCRE is in the sticky buffer (request line).
Updated by Peter Manev about 6 years ago
another example:
alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns_query; content:".core.windows.net"; isdataat:!1,relative; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; content:!"onedriveclubproddm20007.blob.core.windows.net"; metadata: former_category POLICY; classtype:policy-violation; sid:2026486; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_10_15, updated_at 2018_10_16;) App layer protocol is dns. Rule contains 0 content options, 0 http content options, 1 pcre options, and 0 pcre options with http modifiers. Fast Pattern ".core.windows.net" on "dns request query (dns_query)" buffer. Warning: Rule uses pcre without a content option present. -Consider adding a content to improve performance of this rule. Warning: TCP rule without a flow or flags option. -Consider adding flow or flags to improve performance of this rule.
Updated by Peter Manev almost 6 years ago
another example on sid 2834428 using 4.1.0-dev (rev b51e4a3):
App layer protocol is tls. Rule contains 0 content options, 0 http content options, 1 pcre options, and 0 pcre options with http modifiers. Fast Pattern "blablablalalal" on "TLS Server Name Indication (SNI) extension (tls_sni)" buffer. Warning: Rule uses pcre without a content option present. -Consider adding a content to improve performance of this rule.
But tls_sni is sticky buffer - https://suricata.readthedocs.io/en/latest/rules/tls-keywords.html#tls-sni
Updated by Leo Le Bouter almost 6 years ago
Updated by Peter Manev almost 6 years ago
Another example with 5.0.0-dev (rev e710b06) , sig 2834668
Updated by Victor Julien over 5 years ago
- Status changed from Assigned to Closed
- Target version changed from 70 to 5.0beta1
Actions