Can space be used in the header of the rule format?
According to suricata’s documentation (6.1. Rules Format — Suricata 6.0.1 documentation), each sample contains spaces.
For example, section 6.1.3
If spaces are available for addressd and port, it is difficult to analyze(Split) headers using spaces.
I am wondering if it is officially possible to use space for Address and Port.
Let’s just try it out. Sure enough, you can have space galore.
[root@3e6616847ed5 ~]# suricata -T -S test.rules
20/2/2021 -- 10:08:43 - <Info> - Running suricata under test mode
20/2/2021 -- 10:08:43 - <Notice> - This is Suricata version 6.0.0 RELEASE running in SYSTEM mode
20/2/2021 -- 10:08:43 - <Notice> - Configuration provided was successfully loaded. Exiting.
[root@3e6616847ed5 ~]# cat test.rules
alert ip any any -> [ any, ! 8.8.8.8] any (msg:"asd"; sid:1;)
Thanks for your detailed answer.