Project

General

Custom queries

Profile

Actions

Bug #2605

closed

engine-analysis warning on PCRE

Added by Peter Manev over 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using sid: 2830193 with the current gitmaster with "--engine-analysis" - we have this warning on PCRE

 Rule matches on http uri buffer.
    App layer protocol is http.
    Rule contains 0 content options, 6 http content options, 1 pcre
options, and 0 pcre options with http modifiers.
    Fast Pattern "/wpapi/" on "http request uri (http_uri)" buffer.
    Warning: Rule uses content options with http_* and pcre options
without http modifiers.
             -Consider adding http pcre modifier.

Consider PCRE on http buffer


In that case then it seems the warning here is not related as the PCRE is in the sticky buffer (request line).

Actions #1

Updated by Peter Manev about 6 years ago

another example:

alert dns $HOME_NET any -> any any (msg:"ET POLICY DNS Lookup for Possible Common Brand Phishing Hosted on Legitimate Windows Service"; dns_query; content:".core.windows.net"; isdataat:!1,relative; pcre:"/^(?:d(?:(?:ocu|uco)sign|ropbox)|o(?:ffice365|nedrive)|adobe|gdoc)/"; content:!"onedriveclubproddm20007.blob.core.windows.net"; metadata: former_category POLICY; classtype:policy-violation; sid:2026486; rev:3; metadata:affected_product Web_Browsers, attack_target Client_Endpoint, deployment Perimeter, tag Phishing, signature_severity Minor, created_at 2018_10_15, updated_at 2018_10_16;)
    App layer protocol is dns.
    Rule contains 0 content options, 0 http content options, 1 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern ".core.windows.net" on "dns request query (dns_query)" buffer.
    Warning: Rule uses pcre without a content option present.
             -Consider adding a content to improve performance of this rule.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.
Actions #2

Updated by Peter Manev almost 6 years ago

another example on sid 2834428 using 4.1.0-dev (rev b51e4a3):

    App layer protocol is tls.
    Rule contains 0 content options, 0 http content options, 1 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "blablablalalal" on "TLS Server Name Indication (SNI) extension (tls_sni)" buffer.
    Warning: Rule uses pcre without a content option present.
             -Consider adding a content to improve performance of this rule.

But tls_sni is sticky buffer - https://suricata.readthedocs.io/en/latest/rules/tls-keywords.html#tls-sni

Actions #4

Updated by Peter Manev almost 6 years ago

Another example with 5.0.0-dev (rev e710b06) , sig 2834668

Actions #6

Updated by Victor Julien over 5 years ago

  • Status changed from Assigned to Closed
  • Target version changed from 70 to 5.0beta1
Actions

Also available in: Atom PDF