Feature #5973
openwarn when HTTP rules will only work for a specific version of HTTP
Description
As a rule writer, I'd like to be warned should if a rule only supports certain versions of HTTP due to use of keywords which only support certain HTTP versions.
This feature was mentioned within https://github.com/OISF/suricata/pull/8670
Should we warn on a rule alert http that is only for HTTP1 or HTTP2 based on its keywords ?
I see no reason to not warn on this condition and as such am formally requesting it.
Side Note:
I could see some other use cases such as warning when nocase isn't applied to http.header_names, http.header, etc. Though perhaps those use cases are not good fits for the engine to identify.
Updated by Victor Julien 4 months ago
- Target version changed from TBD to 8.0.0-beta1
The warning should make sure not to ever warn on legacy keywords if HTTP/2 doesn't support them.
Also not sure if a warning is the proper way, as as a valid rule shouldn't really warn ideally. Wonder if it is more something for engine analysis.