Actions
Feature #6823
closedSC_WARN_POOR_RULE on to_lowercase/to_uppercase transformation with non-possible matching content
Description
Came across this error today which detected uppercase letters in a buffer that is normalized to lowercase.
Would be nice to have this on the to_lowercase/to_uppercase transformations too
"[ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2003612: A pattern with uppercase chars detected for http_host. Since the hostname buffer we match against is lowercase only, please specify a lowercase pattern.\n\n
Updated by Brandon Murphy 8 months ago
found another error on http.host today, not sure if it's different logic from the above or not. (maybe just different version of suri?)
[212 - Suricata-Main] 2024-03-25 17:52:53 Warning: detect-http-host: rule 1: A pattern with uppercase characters detected for http.host. The hostname buffer is normalized to lowercase, please specify a lowercase pattern.
Updated by Brandon Murphy 8 months ago
- Status changed from New to Rejected
i think this might already be a thing, but not the warning, it actually doesn't load the rule
Error: detect-content: content string \"x-auth-token|3a 20|AuroraSdnToken\" incompatible with to_lowercase transform\n\n[9]
going to close this, good work whoever did this.
Actions