[Oisf-users] question about commercial sig error

erik clark philosnef at gmail.com
Fri Mar 31 15:38:49 UTC 2017

I unfortunately can't post the sig, but I am having a problem with
modifying it. I hope someone can explain how to fix it based on the error:

Signature combines packet specific matches (like dsize, flags, ttl) with
stream / state matching by matching on app layer proto (like using http_*

I dont particularly understand this, but it is definitely an issue with
http keywords. The sig consistently fires false positives on .amazon.com
and .adap.tv. What I tried to do was append to the end of the sig:

content:!".amazon.com"; http_host; content:!".adap.tv"; http_host;

and got the above error. The sig currently performs the following

flow:established, to_server; dsize: SIZE; stream_size: both, <=SIZE;
byte_test: 4, !=address,0; (several byte extracts follow)

with  my http_host keywords tacked on the end.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170331/3ddae0b8/attachment.html>

More information about the Oisf-users mailing list