Project

General

Profile

Actions

Feature #5746

open

http.connection - allow in server response

Added by Brandon Murphy about 2 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Currently when using http.connection in combination with "to_client" produces the following error

Problem starting Suricata daemon: 7/12/2022 -- 19:57:49 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 1 mixes keywords with conflicting directions

however, for whatever reason, the connection header is often observed in the HTTP Server Response.

This limitation forces the use of http.header to match on the Connection header instead of using the more specific buffer.


Files

out.pcap (1.19 KB) out.pcap Brandon Murphy, 12/08/2022 03:49 AM
Actions #1

Updated by Victor Julien about 2 months ago

Can you share a pcap / SV test for a connection with connection header in to client direction?

Actions #2

Updated by Brandon Murphy about 2 months ago

You betcha! Attached is a pcap of a wget to a benign site which exhibits this same behavior.

Actions

Also available in: Atom PDF