Project

General

Profile

Actions

Bug #3350

closed

--engine-analysis not understanding transforms

Added by Victor Julien almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

== Sid: 88 ==
alert dns any any -> any any (dns.query; to_md5; to_sha256; content:"ABCD"; sid:88;)
    App layer protocol is dns.
    Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "ABCD" on "" buffer.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.

== Sid: 99 ==
alert http any any -> any any (flow:to_server; http_header_names; compress_whitespace; strip_whitespace; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|"; sid:99;)
    App layer protocol is http.
    Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "\x0D\x0AHost\x0D\x0AConnection\x0D\x0A" on "" buffer.
    Warning: Rule app layer protocol is http, but content options do not have http_* modifiers.
             -Consider adding http content modifiers.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.

This is with https://github.com/OISF/suricata/pull/4373
Actions #1

Updated by Jeff Lucovsky almost 2 years ago

The concern are these messages

1.

    Fast Pattern "\x0D\x0AHost\x0D\x0AConnection\x0D\x0A" on "" buffer.

2.
     Fast Pattern "ABCD" on "" buffer. 

If so, instead of

""
what would you expect to be displayed/

Actions #2

Updated by Peter Manev almost 2 years ago

It think if possible the buffer name whatever that buffer ends to be, for example something like... "tcp payload/udp packet payload".

Actions #3

Updated by Peter Manev almost 2 years ago

With https://github.com/OISF/suricata/pull/4409 it looks better

== Sid: 88 ==
alert dns any any -> any any (dns.query; to_md5; to_sha256; content:"ABCD"; sid:88;)
    App layer protocol is dns.
    Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "ABCD" on "dns_query" (with 2 transform(s)) buffer.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.

== Sid: 99 ==
alert http any any -> any any (flow:to_server; http_header_names; compress_whitespace; strip_whitespace; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|"; sid:99;)
    App layer protocol is http.
    Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "\x0D\x0AHost\x0D\x0AConnection\x0D\x0A" on "http_header_names" (with 2 transform(s)) buffer.
    Warning: Rule app layer protocol is http, but content options do not have http_* modifiers.
             -Consider adding http content modifiers.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.
Actions #4

Updated by Jeff Lucovsky over 1 year ago

  • Status changed from Assigned to Closed
Actions #5

Updated by Victor Julien over 1 year ago

  • Target version changed from 70 to 5.0.1
Actions

Also available in: Atom PDF