Bug #4880
openhostbits/xbits: treat hostbits and xbits differently in the rule ordering stage
Description
The description of hostbits and xbits in the latest document does not match the status quo.
https://suricata.readthedocs.io/en/latest/rules/xbits.html#xbits-keyword
alert ip any any -> any any (msg:"test xbits set fakehost"; xbits:set, fakehost, track ip_dst; sid:1;)
alert ip any any -> any any (msg:"test xbits isset set fakehost and set fakerservice"; xbits:isset, fakehost, track ip_dst; xbits:set, fakeservice, track ip_dst; sid:2;)
alert ip any any -> any any (msg:"test xbits isset set fakeservice"; xbits:isset, fakeservice, track ip_dst; sid:3;)
I can't get an alert triggered by the third rule.
alert ip any any -> any any (msg:"test hostbits set fakehost"; hostbits:set, fakehost, dst; sid:1;)
alert ip any any -> any any (msg:"test hostbits isset hostbits and set fakerservice"; hostbits:isset, fakehost, dst; hostbits:set, fakeservice, dst; sid:2;)
alert ip any any -> any any (msg:"test hostbits isset fakerservice"; hostbits:isset, fakeservice, dst; sid:3;)
I can get an alert triggered by the third rule.
PM Updated by Peter Manev about 4 years ago
May be related to
https://redmine.openinfosecfoundation.org/issues/1399
PA Updated by Philippe Antoine almost 2 years ago
- Related to Bug #1399: Flowbits rules not always evaluated in necessary order added
PA Updated by Philippe Antoine almost 2 years ago
- Target version set to TBD
PA Updated by Philippe Antoine almost 2 years ago
- Assignee set to OISF Dev
PA Updated by Philippe Antoine 10 months ago
- Status changed from New to Feedback
- Label Needs Suricata-Verify test added
Is this still an issue in Suricata 8 ? Would you have a pcap to test the supplied rules ?