Project

General

Profile

Actions

Bug #2847

closed

Confusing warning “Rule is inspecting both directions” when inspecting engine analysis output

Added by Samu Voutilainen about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hi,

I’ve been investigating engine analysis output for my rules, and it seems that most of the the warnings are coming from ”Warning: Rule is inspecting both directions”. For example following:

== Sid: 2013845 ==
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.ez-dns.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ez-dns|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013845; rev:2; metadata:created_at 2011_11_04, updated_at 2011_11_04;)
    Rule contains 2 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "\x06ez-dns\x03com" on "payload" buffer.
    Warning: Rule is inspecting both directions.

I haven’t found anything from Google nor reading source easily said what it’s for. My assumption is that it’s something like that the engine is analysing the rule for both incoming and outcoming traffic. Is that correct? If so, does that mean that every rule should specify the direction where traffic should be inspected at?

A bit related, is there a place (other than source) to read what these warnings are actually trying to say?

Actions

Also available in: Atom PDF