Bug #5177
closed
detect/analyzer: rule analyzer warns about http buffers usage
Added by Juliana Fajardini Reichow over 3 years ago.
Updated 19 days ago.
Description
Currently, a rule like:
"alert http any any -> any any (http.request_line; content:\"GET /index.html HTTP/1.0\"; sid:61;)"
Will still generate the warning that should be used only when outdated HTTP keywords are used:
"pattern looks like it inspects HTTP, use http.request_line or http.method and http.uri instead for improved performance"
Expected behavior:The warning should only be triggered if the rule still uses the corresponding legacy content modifier.
Related issues
1 (1 open — 0 closed)
- Target version changed from 7.0.0-beta1 to 8.0.0-beta1
- Copied to Bug #6418: detect/parse: rule parser error uses outdated buffer added
- Assignee changed from Juliana Fajardini Reichow to OISF Dev
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
I cannot reproduce with master b4095bf683a7fcbcedc7ef015ed9e44cff17a9ed
Philippe Antoine wrote in #note-5:
I cannot reproduce with master b4095bf683a7fcbcedc7ef015ed9e44cff17a9ed
While I fail at getting the output in the Suricata logs, I do see it as part of the engine analyzer Warnings in the rules.json file. I'll create a PR showing it.
- Subject changed from detect/engine-analyzer: rule analyzer warns about http buffers usage/replacement even when using new keyword to detect/analyzer: rule analyzer warns about http buffers usage
- Status changed from New to In Review
- Assignee changed from OISF Dev to Shivani Bhardwaj
- Effort set to low
- Status changed from In Review to Closed
Also available in: Atom
PDF