[Oisf-users] question about commercial sig error
erik clark
philosnef at gmail.com
Fri Mar 31 15:38:49 UTC 2017
I unfortunately can't post the sig, but I am having a problem with
modifying it. I hope someone can explain how to fix it based on the error:
SC_ERR_INVALID_SIGNATURE...
Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_*
keywords)
I dont particularly understand this, but it is definitely an issue with
http keywords. The sig consistently fires false positives on .amazon.com
and .adap.tv. What I tried to do was append to the end of the sig:
content:!".amazon.com"; http_host; content:!".adap.tv"; http_host;
and got the above error. The sig currently performs the following
inspection:
flow:established, to_server; dsize: SIZE; stream_size: both, <=SIZE;
byte_test: 4, !=address,0; (several byte extracts follow)
with my http_host keywords tacked on the end.
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170331/3ddae0b8/attachment.html>
More information about the Oisf-users
mailing list