Project

General

Profile

Actions
Copy link

Bug #495

closed

rule analyzer: sig misreported as packet inspecting

Added by Victor Julien over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Low
Assignee:
Anoop Saldanha
Target version:
1.3.1
Affected Versions:
Effort:
Difficulty:
Label:

Description

Note: this may actually be a case where the signature's internal state is wrong, not the reporting itself.

== Sid: 4 ==
alert tcp-stream any any -> any any (content:"abc"; depth:3; sid:4; rev:1;)
    Rule matches on packets.
    Rule matches on reassembled stream.
    Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.
    Warning: Rule has depth/offset with raw content keywords.  Please note the offset/depth will be checked against both packet payloads and stream.  If you meant to have the offset/depth checked against just the payload, you can update the signature as "alert tcp-pkt..."

The tcp-stream forces stream inspection, so pkt inspection shouldn't be a part of this signature.

Files

0002-if-a-sig-s-set-as-stream-sig-only-don-t-updated-it-a.patch (3.33 KB) 0002-if-a-sig-s-set-as-stream-sig-only-don-t-updated-it-a.patch Anoop Saldanha, 07/07/2012 01:19 AM
Actions
Copy link

Also available in: Atom PDF