Bug #3350: --engine-analysis not understanding transforms - Suricata - Open Information Security Foundation

Actions

#1

Updated by Jeff Lucovsky about 5 years ago

The concern are these messages

1.

    Fast Pattern "\x0D\x0AHost\x0D\x0AConnection\x0D\x0A" on "" buffer.

2.

     Fast Pattern "ABCD" on "" buffer.

If so, instead of

""

what would you expect to be displayed/

Actions

Copy link

#2

Updated by Peter Manev about 5 years ago

It think if possible the buffer name whatever that buffer ends to be, for example something like... "tcp payload/udp packet payload".

Actions

Copy link

#3

Updated by Peter Manev about 5 years ago

With https://github.com/OISF/suricata/pull/4409 it looks better

== Sid: 88 ==
alert dns any any -> any any (dns.query; to_md5; to_sha256; content:"ABCD"; sid:88;)
    App layer protocol is dns.
    Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "ABCD" on "dns_query" (with 2 transform(s)) buffer.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.

== Sid: 99 ==
alert http any any -> any any (flow:to_server; http_header_names; compress_whitespace; strip_whitespace; content:"|0d 0a|Host|0d 0a|Connection|0d 0a|"; sid:99;)
    App layer protocol is http.
    Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "\x0D\x0AHost\x0D\x0AConnection\x0D\x0A" on "http_header_names" (with 2 transform(s)) buffer.
    Warning: Rule app layer protocol is http, but content options do not have http_* modifiers.
             -Consider adding http content modifiers.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.

Actions

Copy link

#4