Actions
Bug #7523
openrules/prefilter: prefilter keyword ignored when in content rule
Affected Versions:
Effort:
Difficulty:
Label:
Description
In a rule with a prefilter on a non-content keyword where there is also a content keyword, the prefilter is ignored.
alert tcp any any -> any any (flow:established,to_server; stream_size:server,<,1111; prefilter; content: "EICAR"; sid:20;)
{
"raw": "alert tcp any any -> any any (flow:established,to_server; stream_size:server,<,1111; prefilter; content: \"EICAR\"; sid:20;)",
"id": 20,
"gid": 1,
"rev": 0,
"app_proto": "unknown",
"requirements": [
"payload",
"flow"
],
"type": "pkt_stream",
"flags": [
"src_any",
"dst_any",
"sp_any",
"dp_any",
"need_packet",
"need_stream",
"toserver",
"prefilter"
],
"pkt_engines": [
{
"name": "payload",
"is_mpm": true
},
{
"name": "packet",
"is_mpm": false
}
],
"frame_engines": [],
"lists": {
"packet": {
"matches": [
{
"name": "flow"
},
{
"name": "stream_size"
}
]
},
"payload": {
"matches": [
{
"name": "content",
"content": {
"pattern": "EICAR",
"length": 5,
"nocase": false,
"negated": false,
"starts_with": false,
"ends_with": false,
"is_mpm": true,
"no_double_inspect": true,
"fast_pattern": false,
"relative_next": false
}
}
]
}
},
"mpm": {
"buffer": "payload",
"pattern": "EICAR",
"length": 5,
"nocase": false,
"negated": false,
"starts_with": false,
"ends_with": false,
"is_mpm": true,
"no_double_inspect": true,
"fast_pattern": false,
"relative_next": false
}
}
Actions