Project

General

Profile

Bug #2882

http keyword rule regression for bi-directional rules

Added by Derek Ditch 2 months ago. Updated 20 minutes ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

in Suricata 4.0.4 (from EPEL RPM), I was able to correctly alert on the following rule:

alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)

However, with Suricata 4.1.2, I get an error

error parsing signature "alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)" from file ex2.rules at line 3
rule 7 mixes keywords with conflicting directions

I'm not sure if this was a purposeful change or a regression. Scanning [[https://github.com/OISF/suricata/blob/master/ChangeLog]], nothing specific jumped out at me to suggest this was an intended change.

History

#1

Updated by Victor Julien 2 months ago

This was never supported. The only change in 4.1 is that the rule parser became stricter. In previous versions such rules may have worked by luck or by skipping certain conditions in their checks.

#2

Updated by Andreas Herz 20 minutes ago

  • Assignee set to Derek Ditch
  • Target version set to Support

Do you need more feedback on that or is the response from Victor helpful?
If yes please close the issue :)

Also available in: Atom PDF