
Hi,<br><br>Believe this rule will work if you put the http_header content first:<br><br>alert tcp any 80 -> any any (msg:"negate content http_header"; 

flow:to_client,established; content:!"def"; http_header; file_data; content:"abc"; distance:0; classtype:web-application-activity; sid:92891232; rev:1;)<br><br>Don't think distance:0 does anything in this rule so it could be removed.<br>

<br>Regards,<br>Eileen<br>

<br><div class="gmail_quote">On Thu, Apr 5, 2012 at 5:34 PM, rmkml <span dir="ltr"><<a href="mailto:rmkml@yahoo.fr" target="_blank">rmkml@yahoo.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


Hi,<br>

<br>

Anyone check why this sig not work please?<br>

I request support it because first content are "linked" with file_data,<br>

and second negated content are linke with http_header:<br>

<br>

alert tcp any 80 -> any any (msg:"negate content http_header"; flow:to_client,established; file_data; content:"abc"; distance:0;<br>

content:!"def"; http_header; classtype:web-application-activity; sid:92891232; rev:1;)<br>

<br>

Suricata error:<br>

5/4/2012 -- 23:25:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword found inside the rule without a content context.<br>

Please use a "content" keyword before using the "http_header" keyword<br>

5/4/2012 -- 23:25:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 80 -> any any (msg:"negate content<br>

http_header"; flow:to_client,established; file_data; content:"abc"; distance:0; content:!"def"; http_header;<br>

classtype:web-application-activity; sid:92891232; rev:1;)" from file test.rules at line 1<br>

<br>

If anyone confirm, Im open a new redmine ticket.<br>

<br>

Regards<br>

<span><font color="#888888">Rmkml<br>

_______________________________________________<br>

Oisf-devel mailing list<br>

<a href="mailto:Oisf-devel@openinfosecfoundation.org" target="_blank">Oisf-devel@openinfosecfoundation.org</a><br>

<a href="http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel" target="_blank">http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel</a><br>

</font></span></blockquote></div><br>