-
Notifications
You must be signed in to change notification settings - Fork 89
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect prefilter events 6728 v1 #1992
Detect prefilter events 6728 v1 #1992
Conversation
6041440
to
4e4dafd
Compare
@@ -1,3 +1,4 @@ | |||
alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; sid:1;) | |||
alert tcp any any -> any any (msg:"TCP packet too small"; decode-event:tcp.pkt_too_small; prefilter; requires: version >= 8; sid:1; rev: 2;) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sid 2 is already in this file
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah no it's sid 1 rev 2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any reason to use this pattern? Might as well have 2 rules side by side, to test both prefilter and non-prefilter path
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any reason to use this pattern?
This way, it works on both suricata 7 and suricata 8
If you have another rule side by side, you need the whole test to have min-version 8 as suricata 7 does not support prefilter on decode-event
And this is also a good example/showcase of the requires
keyword : you load the better rule if suricata version allows it
Continued in #2001 |
Ticket
Redmine ticket: https://redmine.openinfosecfoundation.org/issues/6728