Bug #5929
Updated by Victor Julien about 1 year ago
Consider the following rules and the attached pcap <pre> <code> alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; urilen:<70; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:1;) alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.uri; bsize:<70; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:2;) alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; urilen:<70; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; sid:3;) alert http $HOME_NET any -> $EXTERNAL_NET any (flow:established,to_server; http.uri; content:".php?"; content:"=01&"; distance:4; within:4; fast_pattern; sid:4;) </pre> </code> Only sid:2, sid:3 and sid:4 fire on git-master (Suricata 7.0.0-rc2-dev (416a780f6 2023-03-17)) and 6.0.10. sid:2 is a good workaround, however, it lacks whatever optimization that urilen has to make it effect checks (see https://redmine.openinfosecfoundation.org/issues/4226#note-3) see https://redmine.openinfosecfoundation.org/issues/5197 for a simliar issue