Project

General

Profile

Bug #2798

--engine-analysis is unaware of http_host buffer

Added by Travis Green 3 months ago. Updated about 2 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Using --engine-analysis flag produces incorrect output for engine analysis:

== Sid: 11111 ==
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"TESTRULE Bug: Engine analysis warnings for http_host"; flow:established,to_server; content:"funkyhost.org"; http_host; pcre:"/funk/W"; sid:11111;)
    App layer protocol is http.
    Rule contains 0 content options, 0 http content options, 1 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "funkyhost.org" on "http host header (http_host)" buffer.
    Warning: Rule uses pcre without a content option present.
             -Consider adding a content to improve performance of this rule.
    Warning: Rule app layer protocol is http, but pcre options do not have http modifiers.
             -Consider adding http pcre modifiers.

consider updating detect-engine-analyzer.c to reflect

History

#1

Updated by Travis Green 3 months ago

Submitted PR.

#2

Updated by Victor Julien about 2 months ago

  • Status changed from New to Closed
  • Target version set to 5.0beta1

Also available in: Atom PDF