Actions
Bug #3350
closed--engine-analysis not understanding transforms
Affected Versions:
Effort:
Difficulty:
Label:
Description
== Sid: 88 == alert dns any any -> any any (dns.query; to_md5; to_sha256; content:"ABCD"; sid:88;) App layer protocol is dns. Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers. Fast Pattern "ABCD" on "" buffer. Warning: TCP rule without a flow or flags option. -Consider adding flow or flags to improve performance of this rule. == Sid: 99 == alert http any any -> any any (flow:to_server; http_header_names; compress_whitespace; strip_whitespace; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|"; sid:99;) App layer protocol is http. Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers. Fast Pattern "\x0D\x0AHost\x0D\x0AConnection\x0D\x0A" on "" buffer. Warning: Rule app layer protocol is http, but content options do not have http_* modifiers. -Consider adding http content modifiers. Warning: TCP rule without a flow or flags option. -Consider adding flow or flags to improve performance of this rule.
This is with https://github.com/OISF/suricata/pull/4373
Updated by Jeff Lucovsky about 5 years ago
The concern are these messages
1.
Fast Pattern "\x0D\x0AHost\x0D\x0AConnection\x0D\x0A" on "" buffer.
2.
Fast Pattern "ABCD" on "" buffer.
If so, instead of
""what would you expect to be displayed/
Updated by Peter Manev about 5 years ago
It think if possible the buffer name whatever that buffer ends to be, for example something like... "tcp payload/udp packet payload".
Updated by Peter Manev about 5 years ago
With https://github.com/OISF/suricata/pull/4409 it looks better
== Sid: 88 == alert dns any any -> any any (dns.query; to_md5; to_sha256; content:"ABCD"; sid:88;) App layer protocol is dns. Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers. Fast Pattern "ABCD" on "dns_query" (with 2 transform(s)) buffer. Warning: TCP rule without a flow or flags option. -Consider adding flow or flags to improve performance of this rule. == Sid: 99 == alert http any any -> any any (flow:to_server; http_header_names; compress_whitespace; strip_whitespace; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|"; sid:99;) App layer protocol is http. Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers. Fast Pattern "\x0D\x0AHost\x0D\x0AConnection\x0D\x0A" on "http_header_names" (with 2 transform(s)) buffer. Warning: Rule app layer protocol is http, but content options do not have http_* modifiers. -Consider adding http content modifiers. Warning: TCP rule without a flow or flags option. -Consider adding flow or flags to improve performance of this rule.
Updated by Jeff Lucovsky almost 5 years ago
- Status changed from Assigned to Closed
Resolved in https://github.com/OISF/suricata/pull/4420
Updated by Victor Julien almost 5 years ago
- Target version changed from 70 to 5.0.1
Actions