rule analyzer: sig misreported as packet inspecting
Note: this may actually be a case where the signature's internal state is wrong, not the reporting itself.
== Sid: 4 == alert tcp-stream any any -> any any (content:"abc"; depth:3; sid:4; rev:1;) Rule matches on packets. Rule matches on reassembled stream. Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers. Warning: TCP rule without a flow or flags option. -Consider adding flow or flags to improve performance of this rule. Warning: Rule has depth/offset with raw content keywords. Please note the offset/depth will be checked against both packet payloads and stream. If you meant to have the offset/depth checked against just the payload, you can update the signature as "alert tcp-pkt..."
The tcp-stream forces stream inspection, so pkt inspection shouldn't be a part of this signature.
Updated by Anoop Saldanha over 11 years ago
- File 0002-if-a-sig-s-set-as-stream-sig-only-don-t-updated-it-a.patch 0002-if-a-sig-s-set-as-stream-sig-only-don-t-updated-it-a.patch added
patch attached. Contains fix for #497 as well.