[Oisf-devel] only a small comment on file_data with content http_header
rmkml
rmkml at yahoo.fr
Sat Mar 9 20:49:06 UTC 2013
Hi,
First, Congratulations on two last Suricata versions !
I have a small comment with this Suricata error signature:
9/3/2013 -- 21:41:34 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword found inside the rule without a content context.
Please use a "content" keyword before using the "http_header" keyword
9/3/2013 -- 21:41:34 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 80 -> any any (msg:"test
http_header content negated"; flow:to_client,established; file_data; content:"c"; nocase; within:10; distance:0; content:!"abc"; http_header;
classtype:web-application-activity; sid:1; rev:1;)" from file test.rules at line 1
Same error with "enabled" content http_header:
9/3/2013 -- 21:44:43 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - "http_header" keyword found inside the rule without a content context.
Please use a "content" keyword before using the "http_header" keyword
9/3/2013 -- 21:44:43 - <Error> - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - error parsing signature "alert tcp any 80 -> any any (msg:"test
http_header content negated"; flow:to_client,established; file_data; content:"c"; nocase; within:10; distance:0; content:"abc"; http_header;
classtype:web-application-activity; sid:1; rev:1;)" from file test.rules at line 1
Im curious on this error "content keyword before using the http_header keyword" ?
(on my example, content exist before http_header)
Regards
Rmkml
More information about the Oisf-devel
mailing list