Actions
Bug #3237
closedhttp_accept not treated as sticky buffer by --engine-analysis
Affected Versions:
Effort:
Difficulty:
Label:
Description
using
This is Suricata version 5.0.0-dev (412ae11ba 2019-10-12)
SID 2018635 from ETOpen (https://rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules) - warns on
Warning: Rule contains content with http_* and content without http_*. -Consider adding http content modifiers.
== Sid: 2018635 == alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Upatre Header Structure 2"; flow:established,to_server; content:"GET"; http_method; content:!"Taitus"; http_user_agent; content:!"Sling/"; http_user_agent; content:!"sophosupd.com"; http_host; content:!"sophosupd.net"; http_host; content:!"Updexer/"; http_user_agent; http_accept; content:"text/*,|20|application/*"; isdataat:!1,relative; fast_pattern; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:2018635; rev:12; metadata:created_at 2014_07_03, updated_at 2019_10_10;) Rule matches on http method buffer. Rule matches on http user agent buffer. Rule matches on http host buffer. Rule matches on http header names buffer. App layer protocol is http. Rule contains 1 content options, 7 http content options, 0 pcre options, and 0 pcre options with http modifiers. Fast Pattern "text/*, application/*" on "http accept header (http_accept)" buffer. Warning: Rule contains content with http_* and content without http_*. -Consider adding http content modifiers.
However the warning is gone when "http_accept" and the content afterwords is removed.
== Sid: 111 == alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Upatre Header Structure 2"; flow:established,to_server; content:"GET"; http_method; content:!"Taitus"; http_user_agent; content:!"Sling/"; http_user_agent; content:!"sophosupd.com"; http_host; content:!"sophosupd.net"; http_host; content:!"Updexer/"; http_user_agent; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:111; rev:12; metadata:created_at 2014_07_03, updated_at 2019_10_10;) Rule matches on http method buffer. Rule matches on http user agent buffer. Rule matches on http host buffer. Rule matches on http header names buffer. App layer protocol is http. Rule contains 0 content options, 7 http content options, 0 pcre options, and 0 pcre options with http modifiers. Fast Pattern "\x0D\x0AAccept\x0D\x0AUser-Agent\x0D\x0AHost" on "http header names (http_header_names)" buffer. No warnings for this rule.
Updated by Victor Julien about 5 years ago
- Status changed from New to Assigned
- Assignee set to Jeff Lucovsky
- Target version set to 5.0.1
Updated by Jeff Lucovsky about 5 years ago
This PR adds support for
http_acceptand other missing keywords: https://github.com/OISF/suricata/pull/4181
Would you like to use this PR for this issue?
Updated by Peter Manev about 5 years ago
another example - sid:2839153 also has this.
Updated by Victor Julien about 5 years ago
- Status changed from Assigned to Closed
Actions