Suricata

I agree the error message needs to be fixed for this negation case.

But what is the point of having a negated match that can't possibly fit the bsize budget? We can know content:!"|0d 0a|User-Agent|0d 0a|"; will be true at parsing time, right? I guess I'm saying that I do think the rule should at least warn you that there is a useless combination of expressions.

Victor Julien wrote in #note-1:

But what is the point of having a negated match that can't possibly fit the bsize budget?

This is a great question.

I'm curious though, is there an order of operations that could impact the performance profile of such a rule?

We can know content:!"|0d 0a|User-Agent|0d 0a|"; will be true at parsing time, right?

In this example, yes, but this is also just a simple example. I'm not sure this exact example occurs in the ET ruleset, but i'm SURE the condition you're speaking about does.

I'm guessing these conditions (where the negation can't possibly be present given the bsize limitation) are likely "artifacts" created by the process of updating rules logic that checked for header order (largely by pcre) from http_header to http.header_names. In the old buffers, these negations made a lot of sense in the old style of rules.

I guess I'm saying that I do think the rule should at least warn you that there is a useless combination of expressions.

I agree, it'd be great! is that a separate feature request? It'd help me a lot in identifying all the rules that have this condition, in the various buffers, to get them cleaned up

Brandon Murphy wrote in #note-2:

I'm curious though, is there an order of operations that could impact the performance profile of such a rule?

This is an example of one where this question is relevant:

http.header_names; bsize:22; content:"|0d 0a|Host|0d 0a|Connection|0d 0a 0d 0a|"; content:!"User-Agent"; content:!"Referer";

While I'm sure the answer is "it depends" and currently is likely impacted by #4226, are the negations helping the engine in any way in the above example? or is it better to remove the negations and let the bsize and content handle all the required optimization?