Actions
Bug #6418
opendetect/engine-analyzer: rule parser error uses outdated buffer
Affected Versions:
Effort:
Difficulty:
Label:
Description
The engine parse error for `http.uri` lack of content match (because it should come after, not before still mentions `http_uri`.
This is especially misleading because our documentation clearly states that the usage of `http_uri` requires `content` to come before.
Cf https://docs.suricata.io/en/latest/rules/http-keywords.html#http-uri-and-http-uri-raw
This task should also include updating the documentation to indicate that the syntax for `http.uri` differs from `http_uri`.
Error:
Error: [...] rule [...] setup buffer http_uri but didn't add matches to it [SigValidate:detect-parse.c:1933] Error: detect: error parsing signature "alert http any any -> any any (msg:"Check http.uri"; content:"/images.gif"; http.uri; sid:3;)" from file test.rules at line 3 [DetectLoadSigFile:detect-engine-loader.c:180] Error: suricata: Loading signatures failed. [LoadSignatures:suricata.c:2416]
Actions