Feature #5784
closeddetect: allow cross buffer inspection on multi-buffer matches
Description
Cf calls to InspectionBufferSetupMulti to have the keywords which use multibuffer
If I have the rules
alert mqtt any any -> any any (msg:"HTTP2 - Two Headers - Authority/Method"; mqtt.subscribe.topic; content:"topicX"; mqtt.subscribe.topic; content:"topicY"; sid:5;) alert mqtt any any -> any any (msg:"HTTP2 - Two Headers - Authority/Method"; mqtt.subscribe.topic; content:"topicY"; sid:6;) alert mqtt any any -> any any (msg:"HTTP2 - Two Headers - Authority/Method"; mqtt.subscribe.topic; content:"topicX"; sid:7;)
And run them on S-V test mqtt-sub-rules/mqtt5_sub_userpass.pcap
I get alerts for sid 6 and 7 on the same packet and transaction, but not for sid 5
In this pcap, there is a MQTT subscribe for these two different topics : topicX and topicY
But there is no topic which contain both content topicX and topicY at the same time
There is no such feature in the detection engine to have "multiple buffer" keywords have different contents for different buffers (and still have the ability to have multiple content for only one buffer)
The different contents for a unique sm_list (value can be g_http2_header_buffer_id) are aggregated in a single SigMatchData linked list
Victor, assigning to you as this requires deep design