Project

General

Profile

Actions
Copy link

Bug #5177

closed
JF SB

detect/analyzer: rule analyzer warns about http buffers usage

Bug #5177: detect/analyzer: rule analyzer warns about http buffers usage

Added by Juliana Fajardini Reichow about 4 years ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Shivani Bhardwaj
Target version:
8.0.0-rc1
Affected Versions:
Effort:
low
Difficulty:
low
Label:

Description

Currently, a rule like:

"alert http any any -> any any (http.request_line; content:\"GET /index.html HTTP/1.0\"; sid:61;)"

Will still generate the warning that should be used only when outdated HTTP keywords are used:
"pattern looks like it inspects HTTP, use http.request_line or http.method and http.uri instead for improved performance"

Expected behavior:
The warning should only be triggered if the rule still uses the corresponding legacy content modifier.

Related issues 1 (1 open0 closed)

Copied to Suricata - Optimization #6418: detect/parse: rule parser error uses outdated bufferAssignedOISF DevActions

VJ Updated by Victor Julien over 3 years ago Actions
Copy link
 #1

  • Target version changed from 7.0.0-beta1 to 8.0.0-beta1

JF Updated by Juliana Fajardini Reichow over 2 years ago Actions
Copy link
 #2

  • Copied to Optimization #6418: detect/parse: rule parser error uses outdated buffer added

VJ Updated by Victor Julien about 2 years ago Actions
Copy link
 #3

  • Assignee changed from Juliana Fajardini Reichow to OISF Dev

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #4

  • Target version changed from 8.0.0-beta1 to 8.0.0-rc1

PA Updated by Philippe Antoine 11 months ago Actions
Copy link
 #5

I cannot reproduce with master b4095bf683a7fcbcedc7ef015ed9e44cff17a9ed

JF Updated by Juliana Fajardini Reichow 10 months ago Actions
Copy link
 #6

Philippe Antoine wrote in #note-5:

I cannot reproduce with master b4095bf683a7fcbcedc7ef015ed9e44cff17a9ed

While I fail at getting the output in the Suricata logs, I do see it as part of the engine analyzer Warnings in the rules.json file. I'll create a PR showing it.

SB Updated by Shivani Bhardwaj 10 months ago Actions
Copy link
 #8

  • Subject changed from detect/engine-analyzer: rule analyzer warns about http buffers usage/replacement even when using new keyword to detect/analyzer: rule analyzer warns about http buffers usage
  • Status changed from New to In Review
  • Assignee changed from OISF Dev to Shivani Bhardwaj
  • Effort set to low

Not an issue with http parser. Limited to engine analysis only. In Review PR: https://github.com/OISF/suricata/pull/13332

SB Updated by Shivani Bhardwaj 10 months ago Actions
Copy link
 #9

  • Status changed from In Review to Closed

SB Updated by Shivani Bhardwaj 10 months ago Actions
Copy link
 #10

  • Difficulty set to low
Actions
Copy link

Also available in: PDF Atom