Project

General

Profile

Actions
Copy link

Bug #5177

closed

detect/analyzer: rule analyzer warns about http buffers usage

Added by Juliana Fajardini Reichow over 3 years ago. Updated 19 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
8.0.0-rc1
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

Currently, a rule like:

"alert http any any -> any any (http.request_line; content:\"GET /index.html HTTP/1.0\"; sid:61;)"

Will still generate the warning that should be used only when outdated HTTP keywords are used:
"pattern looks like it inspects HTTP, use http.request_line or http.method and http.uri instead for improved performance"

Expected behavior:
The warning should only be triggered if the rule still uses the corresponding legacy content modifier.

Related issues 1 (1 open0 closed)

Copied to Suricata - Bug #6418: detect/parse: rule parser error uses outdated bufferNewOISF DevActions
Actions
Copy link
 #1

Updated by Victor Julien over 2 years ago

  • Target version changed from 7.0.0-beta1 to 8.0.0-beta1
Actions
Copy link
 #2

Updated by Juliana Fajardini Reichow over 1 year ago

  • Copied to Bug #6418: detect/parse: rule parser error uses outdated buffer added
Actions
Copy link
 #3

Updated by Victor Julien over 1 year ago

  • Assignee changed from Juliana Fajardini Reichow to OISF Dev
Actions
Copy link
 #4

Updated by Victor Julien 4 months ago

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1
Actions
Copy link
 #5

Updated by Philippe Antoine 30 days ago

I cannot reproduce with master b4095bf683a7fcbcedc7ef015ed9e44cff17a9ed

Actions
Copy link
 #6

Updated by Juliana Fajardini Reichow 23 days ago

Philippe Antoine wrote in #note-5:

I cannot reproduce with master b4095bf683a7fcbcedc7ef015ed9e44cff17a9ed

While I fail at getting the output in the Suricata logs, I do see it as part of the engine analyzer Warnings in the rules.json file. I'll create a PR showing it.

Actions
Copy link
 #8

Updated by Shivani Bhardwaj 22 days ago

  • Subject changed from detect/engine-analyzer: rule analyzer warns about http buffers usage/replacement even when using new keyword to detect/analyzer: rule analyzer warns about http buffers usage
  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Shivani Bhardwaj
  • Effort set to low

Not an issue with http parser. Limited to engine analysis only. In Review PR: https://github.com/OISF/suricata/pull/13332

Actions
Copy link
 #9

Updated by Shivani Bhardwaj 19 days ago

  • Status changed from In Review to Closed
Actions
Copy link
 #10

Updated by Shivani Bhardwaj 19 days ago

  • Difficulty set to low
Actions
Copy link

Also available in: Atom PDF