[Oisf-users] question about commercial sig error

David Wharton oisf at davidwharton.us
Fri Mar 31 18:57:28 UTC 2017

You can't cross the streams --

Either remove the http_* keyword(s) or replace the dsize with an
(absolute) isdataat if you expect everything be in a single packet.


On 03/31/2017 11:38 AM, erik clark wrote:
> I unfortunately can't post the sig, but I am having a problem with
> modifying it. I hope someone can explain how to fix it based on the
> error:
> Signature combines packet specific matches (like dsize, flags, ttl)
> with stream / state matching by matching on app layer proto (like
> using http_* keywords)
> I dont particularly understand this, but it is definitely an issue
> with http keywords. The sig consistently fires false positives on
> .amazon.com <http://amazon.com> and .adap.tv <http://adap.tv>. What I
> tried to do was append to the end of the sig:
> content:!".amazon.com <http://amazon.com>"; http_host;
> content:!".adap.tv <http://adap.tv>"; http_host;
> and got the above error. The sig currently performs the following
> inspection:
> flow:established, to_server; dsize: SIZE; stream_size: both, <=SIZE;
> byte_test: 4, !=address,0; (several byte extracts follow)
> with  my http_host keywords tacked on the end.
> Thanks!
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170331/13b6662f/attachment-0002.html>

More information about the Oisf-users mailing list