Project

General

Profile

Actions

Bug #5656

closed
VJ OD

rules: engine analysis gives false positive warning

Bug #5656: rules: engine analysis gives false positive warning

Added by Victor Julien over 3 years ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

alert tls any any -> any any (tls.sni; content:"suricata.io"; sid:1;)
    App layer protocol is tls.
    Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "suricata.io" on "TLS Server Name Indication (SNI) extension (tls.sni)" buffer.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.

The TCP rule warning shouldn't be issued, flow:to_server,established is implied.

PR Updated by peter russel over 3 years ago Actions #1

same problem here:

rule:
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for dns9.quad9.net"; dns.query; content:"dns9.quad9.net"; nocase; fast_pattern; classtype:bad-unknown; sid:27995003; flow:to_server; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, database_domainlist_id(s) 2, updated_at 2022_11_12;)

analysis result:
Sid: 27995003
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for dns9.quad9.net"; dns.query; content:"dns9.quad9.net"; nocase; fast_pattern; classtype:bad-unknown; sid:27995003; flow:to_server; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, database_domainlist_id(s) 2, updated_at 2022_11_12;)
App layer protocol is dns.
Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
Fast Pattern "dns9.quad9.net" on "dns request query (dns_query)" buffer.
Warning: TCP rule without a flow or flags option.
-Consider adding flow or flags to improve performance of this rule.

PA Updated by Philippe Antoine 10 months ago Actions #2

Fixed on 8:

== Sid: 1 ==
alert tls any any -> any any (tls.sni; content:"suricata.io"; sid:1;)
    Rule is App-layer TX inspecting.
    App layer protocol is tls.
    Fast Pattern "suricata.io" on "TLS Server Name Indication (SNI) extension (tls.sni)" buffer.
    No warnings for this rule.

PA Updated by Philippe Antoine 10 months ago Actions #3

  • Status changed from New to Closed

Also fixed in 7.0.12

Actions

Also available in: PDF Atom