Project

General

Profile

Actions

Bug #4647

closed

rules: Unable to find the sm in any of the sm lists

Added by Jeff Lucovsky over 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

I want to detect dns.flags.response==0 and dns.query is "test" or "abc" or "sdf".

alert dns any any -> any any (msg:"DNS_解析请求";byte_test:1,<,0x80,2;dns.query;pcre:"/test|abc|sdf/";sid:1;)

but this alerted "Unable to find the sm in any of the sm lists".

If modify the rule to:
alert dns any any -> any any (msg:"DNS_解析请求";dns.query;pcre:"/test|abc|sdf/";sid:1;)
or
alert dns any any -> any any (msg:"DNS_解析请求";byte_test:1,<,0x80,2;sid:1;)

These are ok. So,Why is this error reported.


Related issues 1 (0 open1 closed)

Copied from Suricata - Bug #4548: rules: Unable to find the sm in any of the sm listsClosedShivani BhardwajActions
Actions #1

Updated by Jeff Lucovsky over 3 years ago

  • Copied from Bug #4548: rules: Unable to find the sm in any of the sm lists added
Actions #2

Updated by Jeff Lucovsky about 3 years ago

  • Status changed from Assigned to In Progress

Cherry-pick commit(s):
- 9dd1444f4431731bf4917488e0abec0d9a46fdcc

Actions #3

Updated by Jeff Lucovsky about 3 years ago

  • Status changed from In Progress to In Review
Actions #4

Updated by Jeff Lucovsky about 3 years ago

  • Status changed from In Review to Closed
Actions

Also available in: Atom PDF