[Oisf-users] question about commercial sig error
David Wharton
oisf at davidwharton.us
Fri Mar 31 18:57:28 UTC 2017
You can't cross the streams --
https://github.com/counterthreatunit/suricata/blob/bc864435600d7c7b463d117472f92f392e61d1f4/doc/userguide/rules/differences-from-snort.rst#don-t-cross-the-streams
Either remove the http_* keyword(s) or replace the dsize with an
(absolute) isdataat if you expect everything be in a single packet.
-David
On 03/31/2017 11:38 AM, erik clark wrote:
> I unfortunately can't post the sig, but I am having a problem with
> modifying it. I hope someone can explain how to fix it based on the
> error:
>
> SC_ERR_INVALID_SIGNATURE...
> Signature combines packet specific matches (like dsize, flags, ttl)
> with stream / state matching by matching on app layer proto (like
> using http_* keywords)
>
> I dont particularly understand this, but it is definitely an issue
> with http keywords. The sig consistently fires false positives on
> .amazon.com <http://amazon.com> and .adap.tv <http://adap.tv>. What I
> tried to do was append to the end of the sig:
>
> content:!".amazon.com <http://amazon.com>"; http_host;
> content:!".adap.tv <http://adap.tv>"; http_host;
>
> and got the above error. The sig currently performs the following
> inspection:
>
> flow:established, to_server; dsize: SIZE; stream_size: both, <=SIZE;
> byte_test: 4, !=address,0; (several byte extracts follow)
>
> with my http_host keywords tacked on the end.
>
> Thanks!
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170331/13b6662f/attachment-0002.html>
More information about the Oisf-users
mailing list