Project

General

Profile

Actions
Copy link

Feature #7092

open
PA VJ

frames: support rules with multiple different frames

Feature #7092: frames: support rules with multiple different frames

Added by Philippe Antoine almost 2 years ago. Updated 6 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Victor Julien
Target version:
9.0.0-beta1
Effort:
Difficulty:
Label:

Description

Example

alert enip any any -> any any (msg:"one present frame and one absent"; flow:established,to_server; frame:enip.hdr; bsize:24; frame:enip.cip; bsize: 12; sid:1;)

This behaves the same as 

alert enip any any -> any any (msg:"one present frame and one absent"; flow:established,to_server; frame:enip.hdr; bsize:24; sid:1;)

First version could be to refuse to load such a rule
But it would be even better to have it working. Hint : these 2 frames belong to the same transaction

Related issues 1 (1 open0 closed)

Related to Suricata - Story #7900: 9.0.0: rules: improve rule languageAssignedVictor JulienActions

JF Updated by Juliana Fajardini Reichow almost 2 years ago Actions
Copy link
 #1

  • Target version changed from TBD to 8.0.0-beta1

VJ Updated by Victor Julien almost 2 years ago Actions
Copy link
 #2

  • Blocks Story #7124: rules: improve rule language added

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #3

  • Target version changed from 8.0.0-beta1 to 9.0.0-beta1

VJ Updated by Victor Julien 7 months ago Actions
Copy link
 #4

  • Blocks deleted (Story #7124: rules: improve rule language)

VJ Updated by Victor Julien 7 months ago Actions
Copy link
 #5

  • Related to Story #7900: 9.0.0: rules: improve rule language added

VJ Updated by Victor Julien 6 months ago Actions
Copy link
 #6

  • Status changed from New to Assigned
Actions
Copy link

Also available in: PDF Atom