<Warning> -- duplicate instance for http_header

Please include the following information with your help request:
suricata-update version 1.3.3
Suricata version 7.0.4 RELEASE
Debian 12

Im encountering this warning when loading rules from MISP but i couldn’t find it anywhere how to fix this

> <Warning> -- duplicate instance for http_header

here is some of the output

23/4/2024 -- 14:22:02 - <Warning> -- duplicate instance for http_header in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP  [] Outgoing HTTP Domain bordersoarmanusjuw.shop"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bordersoarmanusjuw.shop"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bordersoarmanusjuw\.shop[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:356948977; rev:1; priority:1; reference:url,https://misp/events/view/220836;)'
23/4/2024 -- 14:22:02 - <Warning> -- duplicate instance for http_header in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP [] Outgoing HTTP Domain letchitchat.info"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"letchitchat.info"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])letchitchat\.info[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:356969137; rev:1; priority:1; reference:url,https://misp/events/view/220863;)'
23/4/2024 -- 14:22:02 - <Warning> -- duplicate instance for http_header in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP  [] Outgoing HTTP Domain bn.networkbn.click"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"bn.networkbn.click"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bn\.networkbn\.click[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:356969757; rev:1; priority:1; reference:url,https://misp/events/view/220868;)'
23/4/2024 -- 14:22:03 - <Warning> -- duplicate instance for http_header in 'alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP [kill-chain:Delivery,diamond-model:Infrastructure] Outgoing HTTP Domain simit-federacion-nacional-transito.com"; flow:to_server,established; http.header; content: "Host|3a|"; nocase; http.header; content:"simit-federacion-nacional-transito.com"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])simit\-federacion\-nacional\-transito\.com[^A-Za-z0-9-\.]/Hi"; tag:session,600,seconds; classtype:trojan-activity; sid:356975097; rev:1; priority:1; reference:url,https://misp.events/view/220903;)'

http.header; content: "Host|3a|"; nocase; http.header; content:"bordersoarmanusjuw.shop"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bordersoarmanusjuw\.shop[^A-Za-z0-9-\.]/Hi";

should be written as

http.header; content: "Host|3a|"; nocase; content:"bordersoarmanusjuw.shop"; fast_pattern; nocase; pcre: "/(^|[^A-Za-z0-9-])bordersoarmanusjuw\.shop[^A-Za-z0-9-\.]/i";

That was indeed the problem i will contact MISP support for this one i’m getting more different warnings now

As a bit of explanation, the http.header keyword is a so called “sticky buffer”, which means that you specify it once and all keywords that follow it will be inspecting the http header buffer.