Hi,<br><br>Believe this rule will work if you put the http_header content first:<br><br>alert tcp any 80 -> any any (msg:"negate content http_header"; 
flow:to_client,established; content:!"def"; http_header; file_data; content:"abc"; distance:0; classtype:web-application-activity; sid:92891232; rev:1;)<br><br>Don't think distance:0 does anything in this rule so it could be removed.<br>
<br>Regards,<br>Eileen<br>
<br><div class="gmail_quote">On Thu, Apr 5, 2012 at 5:34 PM, rmkml <span dir="ltr"><<a href="mailto:rmkml@yahoo.fr" target="_blank">rmkml@yahoo.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

Hi,<br>
<br>
Anyone check why this sig not work please?<br>
I request support it because first content are "linked" with file_data,<br>
and second negated content are linke with http_header:<br>
<br>
alert tcp any 80 -> any any (msg:"negate content http_header"; flow:to_client,established; file_data; content:"abc"; distance:0;<br>
content:!"def"; http_header; classtype:web-application-activity; sid:92891232; rev:1;)<br>
<br>
Suricata error:<br>
5/4/2012 -- 23:25:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword found inside the rule without a content context.<br>
Please use a "content" keyword before using the "http_header" keyword<br>
5/4/2012 -- 23:25:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 80 -> any any (msg:"negate content<br>
http_header"; flow:to_client,established; file_data; content:"abc"; distance:0; content:!"def"; http_header;<br>
classtype:web-application-activity; sid:92891232; rev:1;)" from file test.rules at line 1<br>
<br>
If anyone confirm, Im open a new redmine ticket.<br>
<br>
Regards<br>
<span><font color="#888888">Rmkml<br>
_______________________________________________<br>
Oisf-devel mailing list<br>
<a href="mailto:Oisf-devel@openinfosecfoundation.org" target="_blank">Oisf-devel@openinfosecfoundation.org</a><br>
<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>
</font></span></blockquote></div><br>