Project

General

Profile

Actions

Bug #6418

open

detect/engine-analyzer: rule parser error uses outdated buffer

Added by Juliana Fajardini Reichow about 1 year ago. Updated 11 months ago.

Status:
New
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

The engine parse error for `http.uri` lack of content match (because it should come after, not before still mentions `http_uri`.
This is especially misleading because our documentation clearly states that the usage of `http_uri` requires `content` to come before.
Cf https://docs.suricata.io/en/latest/rules/http-keywords.html#http-uri-and-http-uri-raw

This task should also include updating the documentation to indicate that the syntax for `http.uri` differs from `http_uri`.

Error:

Error: [...] rule [...] setup buffer http_uri but didn't add matches to it [SigValidate:detect-parse.c:1933]
Error: detect: error parsing signature "alert http any any -> any any (msg:"Check http.uri"; content:"/images.gif"; http.uri; sid:3;)" from file test.rules at line 3 [DetectLoadSigFile:detect-engine-loader.c:180]
Error: suricata: Loading signatures failed. [LoadSignatures:suricata.c:2416]


Related issues 1 (1 open0 closed)

Copied from Suricata - Bug #5177: detect/engine-analyzer: rule analyzer warns about http buffers usage/replacement even when using new keyword NewOISF DevActions
Actions

Also available in: Atom PDF