Project

General

Profile

Bug #2882

http keyword rule regression for bi-directional rules

Added by Derek Ditch 11 days ago. Updated 11 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

in Suricata 4.0.4 (from EPEL RPM), I was able to correctly alert on the following rule:

alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)

However, with Suricata 4.1.2, I get an error

error parsing signature "alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)" from file ex2.rules at line 3
rule 7 mixes keywords with conflicting directions

I'm not sure if this was a purposeful change or a regression. Scanning [[https://github.com/OISF/suricata/blob/master/ChangeLog]], nothing specific jumped out at me to suggest this was an intended change.

History

#1

Updated by Victor Julien 11 days ago

This was never supported. The only change in 4.1 is that the rule parser became stricter. In previous versions such rules may have worked by luck or by skipping certain conditions in their checks.

Also available in: Atom PDF