Project

General

Profile

Actions
Copy link

Bug #4880

open

hostbits/xbits: treat hostbits and xbits differently in the rule ordering stage

Added by zhenjun zhu over 2 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Affected Versions:
Effort:
Difficulty:
Label:

Description

The description of hostbits and xbits in the latest document does not match the status quo.
https://suricata.readthedocs.io/en/latest/rules/xbits.html#xbits-keyword

alert ip any any -> any any (msg:"test xbits set fakehost"; xbits:set, fakehost, track ip_dst; sid:1;)
alert ip any any -> any any (msg:"test xbits isset set fakehost and set fakerservice"; xbits:isset, fakehost, track ip_dst; xbits:set, fakeservice, track ip_dst; sid:2;)
alert ip any any -> any any (msg:"test xbits isset set fakeservice"; xbits:isset, fakeservice, track ip_dst; sid:3;)
I can't get an alert triggered by the third rule.

alert ip any any -> any any (msg:"test hostbits set fakehost"; hostbits:set, fakehost, dst; sid:1;)
alert ip any any -> any any (msg:"test hostbits isset hostbits and set fakerservice"; hostbits:isset, fakehost, dst; hostbits:set, fakeservice, dst; sid:2;)
alert ip any any -> any any (msg:"test hostbits isset fakerservice"; hostbits:isset, fakeservice, dst; sid:3;)
I can get an alert triggered by the third rule.

Actions
Copy link

Also available in: Atom PDF