[Oisf-devel] only a small comment on file_data with content http_header
Anoop Saldanha
anoopsaldanha at gmail.com
Sun Mar 10 02:31:22 UTC 2013
On Sun, Mar 10, 2013 at 2:19 AM, rmkml <rmkml at yahoo.fr> wrote:
> Hi,
>
> First, Congratulations on two last Suricata versions !
>
> I have a small comment with this Suricata error signature:
>
> 9/3/2013 -- 21:41:34 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> "http_header" keyword found inside the rule without a content context.
> Please use a "content" keyword before using the "http_header" keyword
> 9/3/2013 -- 21:41:34 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> error parsing signature "alert tcp any 80 -> any any (msg:"test http_header
> content negated"; flow:to_client,established; file_data; content:"c";
> nocase; within:10; distance:0; content:!"abc"; http_header;
> classtype:web-application-activity; sid:1; rev:1;)" from file test.rules at
> line 1
>
> Same error with "enabled" content http_header:
> 9/3/2013 -- 21:44:43 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> "http_header" keyword found inside the rule without a content context.
> Please use a "content" keyword before using the "http_header" keyword
> 9/3/2013 -- 21:44:43 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] -
> error parsing signature "alert tcp any 80 -> any any (msg:"test http_header
> content negated"; flow:to_client,established; file_data; content:"c";
> nocase; within:10; distance:0; content:"abc"; http_header;
> classtype:web-application-activity; sid:1; rev:1;)" from file test.rules at
> line 1
>
> Im curious on this error "content keyword before using the http_header
> keyword" ?
> (on my example, content exist before http_header)
>
You'll have to reset the file_data sticky buffer with pkt_data
--
Anoop Saldanha
More information about the Oisf-devel
mailing list