[Oisf-devel] request enhance Suricata v1.3.0beta1 for file_data and negate http_header
rmkml
rmkml at yahoo.fr
Thu Apr 5 21:34:22 UTC 2012
Hi,
Anyone check why this sig not work please?
I request support it because first content are "linked" with file_data,
and second negated content are linke with http_header:
alert tcp any 80 -> any any (msg:"negate content http_header"; flow:to_client,established; file_data; content:"abc"; distance:0;
content:!"def"; http_header; classtype:web-application-activity; sid:92891232; rev:1;)
Suricata error:
5/4/2012 -- 23:25:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword found inside the rule without a content context.
Please use a "content" keyword before using the "http_header" keyword
5/4/2012 -- 23:25:21 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 80 -> any any (msg:"negate content
http_header"; flow:to_client,established; file_data; content:"abc"; distance:0; content:!"def"; http_header;
classtype:web-application-activity; sid:92891232; rev:1;)" from file test.rules at line 1
If anyone confirm, Im open a new redmine ticket.
Regards
Rmkml
More information about the Oisf-devel
mailing list