Project

General

Profile

Actions

Feature #5973

open

warn when HTTP rules will only work for a specific version of HTTP

Added by Brandon Murphy 6 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

As a rule writer, I'd like to be warned should if a rule only supports certain versions of HTTP due to use of keywords which only support certain HTTP versions.

This feature was mentioned within https://github.com/OISF/suricata/pull/8670

Should we warn on a rule alert http that is only for HTTP1 or HTTP2 based on its keywords ?

I see no reason to not warn on this condition and as such am formally requesting it.

Side Note:
I could see some other use cases such as warning when nocase isn't applied to http.header_names, http.header, etc. Though perhaps those use cases are not good fits for the engine to identify.

Actions #1

Updated by Victor Julien 4 months ago

  • Target version changed from TBD to 8.0.0-beta1

The warning should make sure not to ever warn on legacy keywords if HTTP/2 doesn't support them.

Also not sure if a warning is the proper way, as as a valid rule shouldn't really warn ideally. Wonder if it is more something for engine analysis.

Actions

Also available in: Atom PDF