Project

General

Profile

Actions

Bug #2798

closed

--engine-analysis is unaware of http_host buffer

Added by Travis Green over 2 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using --engine-analysis flag produces incorrect output for engine analysis:

== Sid: 11111 ==
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TESTRULE Bug: Engine analysis warnings for http_host"; flow:established,to_server; content:"funkyhost.org"; http_host; pcre:"/funk/W"; sid:11111;)
    App layer protocol is http.
    Rule contains 0 content options, 0 http content options, 1 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "funkyhost.org" on "http host header (http_host)" buffer.
    Warning: Rule uses pcre without a content option present.
             -Consider adding a content to improve performance of this rule.
    Warning: Rule app layer protocol is http, but pcre options do not have http modifiers.
             -Consider adding http pcre modifiers.

consider updating detect-engine-analyzer.c to reflect

Actions #1

Updated by Travis Green over 2 years ago

Submitted PR.

Actions #2

Updated by Victor Julien over 2 years ago

  • Status changed from New to Closed
  • Target version set to 5.0beta1
Actions

Also available in: Atom PDF