(Suricata version 6.0.4 RELEASE)
I am trying to combine matching on tcp and dns in the same rule.
Suricata accepts rule:
“pass tcp 2.2.2.2/32 any → any any (app-layer-protocol:dns; sid:99; seq:0; ack:0; window:!65535; flags:!A; tcp.mss:<64; flow:established;)”
although on combining tcp keywords with dns like:
“pass tcp 2.2.2.2/32 any → any any (app-layer-protocol:dns; sid:99; dns.opcode:4; seq:0; ack:0; window:!65535; flags:!A; tcp.mss:<64; flow:established;)”
Throws error:
“Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords)”
Is it possible to bypass this and match on combined properties of both protocols in the same rule?
You could use two rules and use the flowbits feature for that, would this solve your usecase?