Actions
Bug #3133
closedhttp_accept_enc warning with engine-analysis
Affected Versions:
Effort:
Difficulty:
Label:
Description
With ETPro sig 2838049 when running --engine-analysis there is the following warning:
Rule matches on http uri buffer. Rule matches on http method buffer. Rule matches on http user agent buffer. Rule matches on http header names buffer. App layer protocol is http. Rule contains 1 content options, 7 http content options, 0 pcre options, and 0 pcre options with http modifiers. Fast Pattern "/config.json?id=" on "http request uri (http_uri)" buffer. Warning: Rule contains content with http_* and content without http_*. -Consider adding http content modifiers.
Here if we remove the "http_accept_enc" we have the same warning - which means the buffer is not read in / considered as sticky I think.
/opt/suritest/bin/suricata -k none --runmode=autofp --engine-analysis -l logs/ -S test.rules ; cat logs/rules_analysis.txt [2500] 29/8/2019 -- 21:57:22 - (suricata.c:1070) <Notice> (LogVersion) -- This is Suricata version 5.0.0-dev (1bc738fbe 2019-08-26) running in USER mode Rule matches on reassembled stream. Rule matches on http uri buffer. Rule matches on http method buffer. Rule matches on http user agent buffer. Rule matches on http header names buffer. App layer protocol is http. Rule contains 1 content options, 7 http content options, 0 pcre options, and 0 pcre options with http modifiers. Fast Pattern "/config.json?id=" on "http request uri (http_uri)" buffer. Warning: Rule contains content with http_* and content without http_*. -Consider adding http content modifiers.
Actions