Started getting this error once i switched from 4.18 to 5.03.

25/6/2020 – 15:07:51 - - [ERRCODE: SC_ERR_INVALID_SIGNATURE(39)] - rule 900000 mixes keywords with conflicting directions

I found where the error message (https://github.com/OISF/suricata/blob/79681bf655bc8039c246ec8a647eb1859666fac9/src/detect-parse.c#L1710) is coming from and it seems like it has to do with my flow option, but I’m not totally sure why it’s throwing the error now.

Rule:

alert http $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:“Suspicious Pastebin ‘raw’ Paste Javascript Response”; flow:established, from_server; content:“pastebin.com”; http_host; content:“document.write”; http_server_body; tag:session,5,packets; sid:900000; rev:1;)

I believe these keywords are causing an issue:

http_host; – http request keyword
http_server_body; – http response keyword

combined with

flow:established,from_server; – this keyword says you only want to look at traffic from the server to the client.

Your rule contains a keyword only used on traffic from the client to the server and can therefore never trigger.

Thanks! For some reason, I thought that worked on both directions.