Bug #5656
closedrules: engine analysis gives false positive warning
Description
alert tls any any -> any any (tls.sni; content:"suricata.io"; sid:1;)
App layer protocol is tls.
Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
Fast Pattern "suricata.io" on "TLS Server Name Indication (SNI) extension (tls.sni)" buffer.
Warning: TCP rule without a flow or flags option.
-Consider adding flow or flags to improve performance of this rule.
The TCP rule warning shouldn't be issued,
flow:to_server,established is implied.
PR Updated by peter russel over 3 years ago
same problem here:
rule:
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for dns9.quad9.net"; dns.query; content:"dns9.quad9.net"; nocase; fast_pattern; classtype:bad-unknown; sid:27995003; flow:to_server; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, database_domainlist_id(s) 2, updated_at 2022_11_12;)
analysis result:
Sid: 27995003
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for dns9.quad9.net"; dns.query; content:"dns9.quad9.net"; nocase; fast_pattern; classtype:bad-unknown; sid:27995003; flow:to_server; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, database_domainlist_id(s) 2, updated_at 2022_11_12;)
App layer protocol is dns.
Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
Fast Pattern "dns9.quad9.net" on "dns request query (dns_query)" buffer.
Warning: TCP rule without a flow or flags option.
-Consider adding flow or flags to improve performance of this rule.
PA Updated by Philippe Antoine 10 months ago
Fixed on 8:
== Sid: 1 ==
alert tls any any -> any any (tls.sni; content:"suricata.io"; sid:1;)
Rule is App-layer TX inspecting.
App layer protocol is tls.
Fast Pattern "suricata.io" on "TLS Server Name Indication (SNI) extension (tls.sni)" buffer.
No warnings for this rule.
PA Updated by Philippe Antoine 10 months ago
- Status changed from New to Closed
Also fixed in 7.0.12