<html>

  <head>

    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">

  </head>

  <body bgcolor="#FFFFFF" text="#000000">

    <p>You can't cross the streams --

<a class="moz-txt-link-freetext" href="https://github.com/counterthreatunit/suricata/blob/bc864435600d7c7b463d117472f92f392e61d1f4/doc/userguide/rules/differences-from-snort.rst#don-t-cross-the-streams">https://github.com/counterthreatunit/suricata/blob/bc864435600d7c7b463d117472f92f392e61d1f4/doc/userguide/rules/differences-from-snort.rst#don-t-cross-the-streams</a></p>

    <p>Either remove the http_* keyword(s) or replace the dsize with an

      (absolute) isdataat if you expect everything be in a single

      packet.<br>

    </p>

    <p>-David<br>

    </p>

    <div class="moz-cite-prefix">On 03/31/2017 11:38 AM, erik clark

      wrote:<br>

    </div>

    <blockquote

cite="mid:CAK6atxr0LWmr9cLAr3n9rCVEymxpDGTP3UGvAs8=seEqA7dO5A@mail.gmail.com"

      type="cite">

      <div dir="ltr">I unfortunately can't post the sig, but I am having

        a problem with modifying it. I hope someone can explain how to

        fix it based on the error:

        <div><br>

        </div>

        <div>SC_ERR_INVALID_SIGNATURE...</div>

        <div>Signature combines packet specific matches (like dsize,

          flags, ttl) with stream / state matching by matching on app

          layer proto (like using http_* keywords)</div>

        <div><br>

        </div>

        <div>I dont particularly understand this, but it is definitely

          an issue with http keywords. The sig consistently fires false

          positives on .<a moz-do-not-send="true"

            href="http://amazon.com">amazon.com</a> and .<a

            moz-do-not-send="true" href="http://adap.tv">adap.tv</a>.

          What I tried to do was append to the end of the sig:</div>

        <div><br>

        </div>

        <div>content:!".<a moz-do-not-send="true"

            href="http://amazon.com">amazon.com</a>"; http_host;

          content:!".<a moz-do-not-send="true" href="http://adap.tv">adap.tv</a>";

          http_host;</div>

        <div><br>

        </div>

        <div>and got the above error. The sig currently performs the

          following inspection:</div>

        <div><br>

        </div>

        <div>flow:established, to_server; dsize: SIZE; stream_size:

          both, <=SIZE; byte_test: 4, !=address,0; (several byte

          extracts follow)</div>

        <div><br>

        </div>

        <div>with  my http_host keywords tacked on the end.</div>

        <div><br>

        </div>

        <div>Thanks!</div>

        <div><br>

        </div>

      </div>

      <br>

      <fieldset class="mimeAttachmentHeader"></fieldset>

      <br>

      <pre wrap="">_______________________________________________

Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>

Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>

List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

</pre>

    </blockquote>

    <br>

  </body>

</html>