Project

General

Profile

Actions

Feature #6823

closed

SC_WARN_POOR_RULE on to_lowercase/to_uppercase transformation with non-possible matching content

Added by Brandon Murphy 9 months ago. Updated 7 months ago.

Status:
Rejected
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Came across this error today which detected uppercase letters in a buffer that is normalized to lowercase.

Would be nice to have this on the to_lowercase/to_uppercase transformations too

        "[ERRCODE: SC_WARN_POOR_RULE(276)] - rule 2003612: A pattern with uppercase chars detected for http_host.  Since the hostname buffer we match against is lowercase only, please specify a lowercase pattern.\n\n
Actions #1

Updated by Brandon Murphy 8 months ago

found another error on http.host today, not sure if it's different logic from the above or not. (maybe just different version of suri?)

[212 - Suricata-Main] 2024-03-25 17:52:53 Warning: detect-http-host: rule 1: A pattern with uppercase characters detected for http.host. The hostname buffer is normalized to lowercase, please specify a lowercase pattern.
Actions #2

Updated by Brandon Murphy 7 months ago

  • Status changed from New to Rejected

i think this might already be a thing, but not the warning, it actually doesn't load the rule

Error: detect-content: content string \"x-auth-token|3a 20|AuroraSdnToken\" incompatible with to_lowercase transform\n\n[9]

going to close this, good work whoever did this.

Actions

Also available in: Atom PDF