Project

General

Profile

Actions

Bug #3237

closed

http_accept not treated as sticky buffer by --engine-analysis

Added by Peter Manev about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

using

This is Suricata version 5.0.0-dev (412ae11ba 2019-10-12)

SID 2018635 from ETOpen (https://rules.emergingthreats.net/open/suricata-5.0/emerging-all.rules) - warns on

    Warning: Rule contains content with http_* and content without http_*.
             -Consider adding http content modifiers.

== Sid: 2018635 ==
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Upatre Header Structure 2"; flow:established,to_server; content:"GET"; http_method; content:!"Taitus"; http_user_agent; content:!"Sling/"; http_user_agent; content:!"sophosupd.com"; http_host; content:!"sophosupd.net"; http_host; content:!"Updexer/"; http_user_agent; http_accept; content:"text/*,|20|application/*"; isdataat:!1,relative; fast_pattern; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:2018635; rev:12; metadata:created_at 2014_07_03, updated_at 2019_10_10;)
    Rule matches on http method buffer.
    Rule matches on http user agent buffer.
    Rule matches on http host buffer.
    Rule matches on http header names buffer.
    App layer protocol is http.
    Rule contains 1 content options, 7 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "text/*, application/*" on "http accept header (http_accept)" buffer.
    Warning: Rule contains content with http_* and content without http_*.
             -Consider adding http content modifiers.

However the warning is gone when "http_accept" and the content afterwords is removed.

== Sid: 111 ==
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Common Upatre Header Structure 2"; flow:established,to_server; content:"GET"; http_method; content:!"Taitus"; http_user_agent; content:!"Sling/"; http_user_agent; content:!"sophosupd.com"; http_host; content:!"sophosupd.net"; http_host; content:!"Updexer/"; http_user_agent; http_header_names; content:"|0d 0a|Accept|0d 0a|User-Agent|0d 0a|Host"; depth:26; classtype:trojan-activity; sid:111; rev:12; metadata:created_at 2014_07_03, updated_at 2019_10_10;)
    Rule matches on http method buffer.
    Rule matches on http user agent buffer.
    Rule matches on http host buffer.
    Rule matches on http header names buffer.
    App layer protocol is http.
    Rule contains 0 content options, 7 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "\x0D\x0AAccept\x0D\x0AUser-Agent\x0D\x0AHost" on "http header names (http_header_names)" buffer.
    No warnings for this rule.

Actions

Also available in: Atom PDF