Project

General

Profile

Actions
Copy link

Feature #7092

open

frames: support rules with multiple different frames

Added by Philippe Antoine 3 months ago. Updated 3 months ago.

Status:
New
Priority:
Normal
Assignee:
Victor Julien
Target version:
8.0.0-beta1
Effort:
Difficulty:
Label:

Description

Example

alert enip any any -> any any (msg:"one present frame and one absent"; flow:established,to_server; frame:enip.hdr; bsize:24; frame:enip.cip; bsize: 12; sid:1;)

This behaves the same as 

alert enip any any -> any any (msg:"one present frame and one absent"; flow:established,to_server; frame:enip.hdr; bsize:24; sid:1;)

First version could be to refuse to load such a rule
But it would be even better to have it working. Hint : these 2 frames belong to the same transaction

Related issues 1 (1 open0 closed)

Blocks Suricata - Story #7124: rules: improve rule languageNewVictor JulienActions
Actions
Copy link
 #1

Updated by Juliana Fajardini Reichow 3 months ago

  • Target version changed from TBD to 8.0.0-beta1
Actions
Copy link
 #2

Updated by Victor Julien 2 months ago

  • Blocks Story #7124: rules: improve rule language added
Actions
Copy link

Also available in: Atom PDF