Project

General

Profile

Actions

Bug #5177

open

detect/engine-analyzer: rule analyzer warns about http buffers usage/replacement even when using new keyword

Added by Juliana Fajardini Reichow almost 3 years ago. Updated 12 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Currently, a rule like:

"alert http any any -> any any (http.request_line; content:\"GET /index.html HTTP/1.0\"; sid:61;)" 

Will still generate the warning that should be used only when outdated HTTP keywords are used:
"pattern looks like it inspects HTTP, use http.request_line or http.method and http.uri instead for improved performance" 

Expected behavior:
The warning should only be triggered if the rule still uses the corresponding legacy content modifier.


Related issues 1 (1 open0 closed)

Copied to Suricata - Bug #6418: detect/engine-analyzer: rule parser error uses outdated bufferNewOISF DevActions
Actions #1

Updated by Victor Julien about 2 years ago

  • Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Actions #2

Updated by Juliana Fajardini Reichow about 1 year ago

  • Copied to Bug #6418: detect/engine-analyzer: rule parser error uses outdated buffer added
Actions #3

Updated by Victor Julien 12 months ago

  • Assignee changed from Juliana Fajardini Reichow to OISF Dev
Actions

Also available in: Atom PDF