Project

General

Profile

Actions

Feature #4381

open

Task #4380: tracking: improvements to bits, ints, vars

flowbits: warn if flowbit dependencies don't follow suricata inspection order

Added by Victor Julien over 3 years ago. Updated over 1 year ago.

Status:
New
Priority:
Normal
Target version:
Effort:
Difficulty:
Label:

Description

Consider 2 rules:

file.data; content:"abc"; flowbit:set,bit1;
http.uri; content:"xyz"; flowbit:isset,bit1;

The first rule will be evaluated last because it is part of the response. We should warn here.

Consider 2 rules:

http.request_body; content:"abc"; flowbit:set,bit1;
http.uri; content:"xyz"; flowbit:isset,bit1;

The first rule will be evaluated last because it happens later in the stream. We should warn here. We can look at the max "progress value" associated with a buffer perhaps.

Actions

Also available in: Atom PDF