Project

General

Profile

Actions

Bug #2882

closed

http keyword rule regression for bi-directional rules

Added by Derek Ditch about 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

in Suricata 4.0.4 (from EPEL RPM), I was able to correctly alert on the following rule:

alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)

However, with Suricata 4.1.2, I get an error

error parsing signature "alert http any any -> any any (msg:"HTTP POST method seen and successful"; content:"POST"; http_method; content:"200"; http_stat_code; sid:7;)" from file ex2.rules at line 3
rule 7 mixes keywords with conflicting directions

I'm not sure if this was a purposeful change or a regression. Scanning [[https://github.com/OISF/suricata/blob/master/ChangeLog]], nothing specific jumped out at me to suggest this was an intended change.

Actions #1

Updated by Victor Julien about 5 years ago

This was never supported. The only change in 4.1 is that the rule parser became stricter. In previous versions such rules may have worked by luck or by skipping certain conditions in their checks.

Actions #2

Updated by Andreas Herz almost 5 years ago

  • Assignee set to Derek Ditch
  • Target version set to Support

Do you need more feedback on that or is the response from Victor helpful?
If yes please close the issue :)

Actions #3

Updated by Victor Julien almost 5 years ago

  • Status changed from New to Closed
  • Assignee deleted (Derek Ditch)
  • Target version deleted (Support)
Actions

Also available in: Atom PDF