Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords)

Hezam · July 28, 2022, 8:26am

(Suricata version 6.0.4 RELEASE)
I am trying to combine matching on tcp and dns in the same rule.
Suricata accepts rule:
“pass tcp 2.2.2.2/32 any → any any (app-layer-protocol:dns; sid:99; seq:0; ack:0; window:!65535; flags:!A; tcp.mss:<64; flow:established;)”
although on combining tcp keywords with dns like:
“pass tcp 2.2.2.2/32 any → any any (app-layer-protocol:dns; sid:99; dns.opcode:4; seq:0; ack:0; window:!65535; flags:!A; tcp.mss:<64; flow:established;)”
Throws error:
“Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords)”
Is it possible to bypass this and match on combined properties of both protocols in the same rule?

Andreas_Herz · August 29, 2022, 3:29pm

You could use two rules and use the flowbits feature for that, would this solve your usecase?

Topic		Replies	Views
Writing a signature for multiple conditions Rules	3	893	November 25, 2021
How to write Effective Suricata rule to match multiple tls SNI (Whitelisting)? Rules aws , community , rules , suricon , suricata	1	942	July 5, 2023
Setting flowbits for AND logic on same packet Rules	13	2251	November 24, 2020
Flow option stateless Rules	3	1021	February 8, 2021
Do pass action allows all payload going through same TCP stream? Help	4	327	June 9, 2023

Signature combines packet specific matches (like dsize, flags, ttl) with stream / state matching by matching on app layer proto (like using http_* keywords)

Related Topics