Bug #5656: rules: engine analysis gives false positive warning - Suricata - Open Information Security Foundation

PR Updated by peter russel over 3 years ago Actions
Copy link
#1

same problem here:

rule:
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for dns9.quad9.net"; dns.query; content:"dns9.quad9.net"; nocase; fast_pattern; classtype:bad-unknown; sid:27995003; flow:to_server; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, database_domainlist_id(s) 2, updated_at 2022_11_12;)

analysis result:
Sid: 27995003
reject dns $HOME_NET any -> $EXTERNAL_NET 53 (msg:"(o)DoH Query for dns9.quad9.net"; dns.query; content:"dns9.quad9.net"; nocase; fast_pattern; classtype:bad-unknown; sid:27995003; flow:to_server; rev:1; metadata:affected_product Any, attack_target Client_Endpoint, database_domainlist_id(s) 2, updated_at 2022_11_12;)
App layer protocol is dns.
Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
Fast Pattern "dns9.quad9.net" on "dns request query (dns_query)" buffer.
Warning: TCP rule without a flow or flags option.
-Consider adding flow or flags to improve performance of this rule.

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
#2

Fixed on 8:

== Sid: 1 ==
alert tls any any -> any any (tls.sni; content:"suricata.io"; sid:1;)
    Rule is App-layer TX inspecting.
    App layer protocol is tls.
    Fast Pattern "suricata.io" on "TLS Server Name Indication (SNI) extension (tls.sni)" buffer.
    No warnings for this rule.

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
#3

Status changed from New to Closed

Also fixed in 7.0.12

Project

General

Profile

Suricata

Custom queries

Bug #5656

rules: engine analysis gives false positive warning

PR Updated by peter russel over 3 years ago Actions
Copy link
#1

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
#2

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
#3

Project

General

Profile

Suricata

Custom queries

Bug #5656

rules: engine analysis gives false positive warning

PR Updated by peter russel over 3 years ago ActionsCopy link #1

PA Updated by Philippe Antoine 9 months ago ActionsCopy link #2

PA Updated by Philippe Antoine 9 months ago ActionsCopy link #3

PR Updated by peter russel over 3 years ago Actions
Copy link
#1

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
#2

PA Updated by Philippe Antoine 9 months ago Actions
Copy link
#3