Actions
Bug #2847
closed
SV
JL
Confusing warning “Rule is inspecting both directions” when inspecting engine analysis output
Bug #2847:
Confusing warning “Rule is inspecting both directions” when inspecting engine analysis output
Affected Versions:
Effort:
Difficulty:
Label:
Description
Hi,
I’ve been investigating engine analysis output for my rules, and it seems that most of the the warnings are coming from ”Warning: Rule is inspecting both directions”. For example following:
== Sid: 2013845 ==
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.ez-dns.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ez-dns|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013845; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)
Rule contains 2 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
Fast Pattern "\x06ez-dns\x03com" on "payload" buffer.
Warning: Rule is inspecting both directions.
I haven’t found anything from Google nor reading source easily said what it’s for. My assumption is that it’s something like that the engine is analysing the rule for both incoming and outcoming traffic. Is that correct? If so, does that mean that every rule should specify the direction where traffic should be inspected at?
A bit related, is there a place (other than source) to read what these warnings are actually trying to say?
Actions