Project

General

Profile

Actions

Bug #5656

open

rules: engine analysis gives false positive warning

Added by Victor Julien about 2 years ago. Updated about 2 years ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

alert tls any any -> any any (tls.sni; content:"suricata.io"; sid:1;)
    App layer protocol is tls.
    Rule contains 1 content options, 0 http content options, 0 pcre options, and 0 pcre options with http modifiers.
    Fast Pattern "suricata.io" on "TLS Server Name Indication (SNI) extension (tls.sni)" buffer.
    Warning: TCP rule without a flow or flags option.
             -Consider adding flow or flags to improve performance of this rule.

The TCP rule warning shouldn't be issued, flow:to_server,established is implied.
Actions

Also available in: Atom PDF