Help modifying a signature from 4.18 to 5.03

Started getting this error once i switched from 4.18 to 5.03.

25/6/2020 – 15:07:51 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 900000 mixes keywords with conflicting directions

I found where the error message ( is coming from and it seems like it has to do with my flow option, but I’m not totally sure why it’s throwing the error now.


alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:“Suspicious Pastebin ‘raw’ Paste Javascript Response”; flow:established, from_server; content:“”; http_host; content:“document.write”; http_server_body; tag:session,5,packets; sid:900000; rev:1;)

I believe these keywords are causing an issue:

http_host; – http request keyword
http_server_body; – http response keyword

combined with

flow:established,from_server; – this keyword says you only want to look at traffic from the server to the client.

Your rule contains a keyword only used on traffic from the client to the server and can therefore never trigger.

Thanks! For some reason, I thought that worked on both directions.