Project

General

Profile

Actions

Bug #3237

closed

http_accept not treated as sticky buffer by --engine-analysis

Added by Peter Manev about 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

using

This is Suricata version 5.0.0-dev (412ae11ba 2019-10-12)

SID 2018635 from ETOpen (https://rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules) - warns on

    Warning: Rule contains content with http_* and content without http_*.
             -Consider adding http content modifiers.

== Sid: 2018635 ==
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Upatre Header Structure 2"; flow:established,to_server; content:"GET"; http_method; content:!"Taitus"; http_user_agent; content:!"Sling/"; http_user_agent; content:!"sophosupd.com"; http_host; content:!"sophosupd.net"; http_host; content:!"Updexer/"; http_user_agent; http_accept; content:"text/*,|20|application/*"; isdataat:!1,relative; fast_pattern; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:2018635; rev:12; metadata:created_at 2014_07_03, updated_at 2019_10_10;)
    Rule matches on http method buffer.
    Rule matches on http user agent buffer.
    Rule matches on http host buffer.
    Rule matches on http header names buffer.
    App layer protocol is http.
    Rule contains 1 content options, 7 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "text/*, application/*" on "http accept header (http_accept)" buffer.
    Warning: Rule contains content with http_* and content without http_*.
             -Consider adding http content modifiers.

However the warning is gone when "http_accept" and the content afterwords is removed.

== Sid: 111 ==
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Upatre Header Structure 2"; flow:established,to_server; content:"GET"; http_method; content:!"Taitus"; http_user_agent; content:!"Sling/"; http_user_agent; content:!"sophosupd.com"; http_host; content:!"sophosupd.net"; http_host; content:!"Updexer/"; http_user_agent; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:111; rev:12; metadata:created_at 2014_07_03, updated_at 2019_10_10;)
    Rule matches on http method buffer.
    Rule matches on http user agent buffer.
    Rule matches on http host buffer.
    Rule matches on http header names buffer.
    App layer protocol is http.
    Rule contains 0 content options, 7 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "\x0D\x0AAccept\x0D\x0AUser-Agent\x0D\x0AHost" on "http header names (http_header_names)" buffer.
    No warnings for this rule.

Actions #1

Updated by Victor Julien about 5 years ago

  • Status changed from New to Assigned
  • Assignee set to Jeff Lucovsky
  • Target version set to 5.0.1
Actions #2

Updated by Jeff Lucovsky about 5 years ago

This PR adds support for

http_accept
and other missing keywords: https://github.com/OISF/suricata/pull/4181

Would you like to use this PR for this issue?

Actions #3

Updated by Peter Manev about 5 years ago

another example - sid:2839153 also has this.

Actions #4

Updated by Victor Julien almost 5 years ago

  • Status changed from Assigned to Closed
Actions

Also available in: Atom PDF