56 static int rule_warnings_only = 0;
112 { 0,
false,
false,
true,
"http_uri",
"http uri" },
113 { 0,
false,
false,
false,
"http_raw_uri",
"http raw uri" },
114 { 0,
false,
true,
false,
"http_method",
"http method" },
115 { 0,
false,
false,
false,
"http_request_line",
"http request line" },
116 { 0,
false,
false,
false,
"http_client_body",
"http client body" },
117 { 0,
false,
false,
true,
"http_header",
"http header" },
118 { 0,
false,
false,
false,
"http_raw_header",
"http raw header" },
119 { 0,
false,
false,
true,
"http_cookie",
"http cookie" },
120 { 0,
false,
false,
false,
"http_user_agent",
"http user agent" },
121 { 0,
false,
false,
false,
"http_host",
"http host" },
122 { 0,
false,
false,
false,
"http_raw_host",
"http raw host" },
123 { 0,
false,
false,
false,
"http_accept_enc",
"http accept enc" },
124 { 0,
false,
false,
false,
"http_referer",
"http referer" },
125 { 0,
false,
false,
false,
"http_content_type",
"http content type" },
126 { 0,
false,
false,
false,
"http_header_names",
"http header names" },
129 { 0,
false,
false,
false,
"http_stat_msg",
"http stat msg" },
130 { 0,
false,
false,
false,
"http_stat_code",
"http stat code" },
131 { 0,
false,
true,
false,
"file_data",
"http server body" },
134 { 0,
false,
false,
false,
"http_request_line",
"http request line" },
135 { 0,
false,
false,
false,
"http_accept",
"http accept" },
136 { 0,
false,
false,
false,
"http_accept_lang",
"http accept lang" },
137 { 0,
false,
false,
false,
"http_connection",
"http connection" },
138 { 0,
false,
false,
false,
"http_content_len",
"http content len" },
139 { 0,
false,
false,
false,
"http_protocol",
"http protocol" },
140 { 0,
false,
false,
false,
"http_start",
"http start" },
143 { 0,
false,
false,
false,
"http_response_line",
"http response line" },
144 { 0,
false,
false,
false,
"http.server",
"http server" },
145 { 0,
false,
false,
false,
"http.location",
"http location" },
148 static void FpPatternStatsAdd(
FpPatternStats *fp,
int list, uint16_t patlen)
157 else if (patlen < f->min)
169 int fast_pattern_set = 0;
170 int fast_pattern_only_set = 0;
171 int fast_pattern_chop_set = 0;
176 if (mpm_sm != NULL) {
179 fast_pattern_set = 1;
181 fast_pattern_only_set = 1;
183 fast_pattern_chop_set = 1;
189 fprintf(fp,
"== Sid: %u ==\n", s->
id);
190 fprintf(fp,
"%s\n", line);
192 fprintf(fp,
" Fast Pattern analysis:\n");
194 fprintf(fp,
" Prefilter on: %s\n",
201 fprintf(fp,
" No content present\n");
206 fprintf(fp,
" Fast pattern matcher: ");
207 int list_type = mpm_sm_list;
209 fprintf(fp,
"content\n");
214 fprintf(fp,
"%s (%s)\n", desc, name);
219 fprintf(fp,
" Flags:");
221 fprintf(fp,
" Offset");
224 fprintf(fp,
" Depth");
228 fprintf(fp,
" Within");
232 fprintf(fp,
" Distance");
236 fprintf(fp,
" Nocase");
240 fprintf(fp,
" Negated");
244 fprintf(fp,
" None");
247 fprintf(fp,
" Fast pattern set: %s\n", fast_pattern_set ?
"yes" :
"no");
248 fprintf(fp,
" Fast pattern only set: %s\n", fast_pattern_only_set ?
"yes" :
"no");
249 fprintf(fp,
" Fast pattern chop set: %s\n", fast_pattern_chop_set ?
"yes" :
"no");
250 if (fast_pattern_chop_set) {
251 fprintf(fp,
" Fast pattern offset, length: %u, %u\n", fp_cd->
fp_chop_offset,
262 fprintf(fp,
" Original content: ");
266 if (fast_pattern_chop_set) {
275 fprintf(fp,
" Final content: ");
281 fprintf(fp,
" Final content: ");
300 int fp_engine_analysis_set = 0;
302 if ((
ConfGetBool(
"engine-analysis.rules-fast-pattern",
303 &fp_engine_analysis_set)) == 0) {
307 if (fp_engine_analysis_set == 0)
311 char *log_path =
SCMalloc(PATH_MAX);
312 if (log_path == NULL) {
313 FatalError(
"Unable to allocate scratch memory for rule filename");
315 snprintf(log_path, PATH_MAX,
"%s/%s%s", log_dir,
318 FILE *fp = fopen(log_path,
"w");
320 SCLogError(
"failed to open %s: %s", log_path, strerror(errno));
327 SCLogInfo(
"Engine-Analysis for fast_pattern printed to file - %s",
332 gettimeofday(&tval, NULL);
334 struct tm *tms =
SCLocalTime(tval.tv_sec, &local_tm);
335 fprintf(fp,
"----------------------------------------------"
336 "---------------------\n");
338 "Date: %" PRId32
"/%" PRId32
"/%04d -- "
340 tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour, tms->tm_min,
342 fprintf(fp,
"----------------------------------------------"
343 "---------------------\n");
356 #define DETECT_PERCENT_ENCODING_REGEX "%[0-9|a-f|A-F]{2}"
362 PCRE2_ZERO_TERMINATED, opts, &en, &eo, NULL);
364 PCRE2_UCHAR errbuffer[256];
365 pcre2_get_error_message(en, errbuffer,
sizeof(errbuffer));
386 }
else if (value && strcasecmp(value,
"warnings-only") == 0) {
388 rule_warnings_only = 1;
393 char log_path[PATH_MAX];
394 snprintf(log_path,
sizeof(log_path),
"%s/%s%s", log_dir,
398 SCLogError(
"failed to open %s: %s", log_path, strerror(errno));
402 SCLogInfo(
"Engine-Analysis for rules printed to file - %s",
406 gettimeofday(&tval, NULL);
408 struct tm *tms =
SCLocalTime(tval.tv_sec, &local_tm);
410 "----------------------------------------------"
411 "---------------------\n");
413 "Date: %" PRId32
"/%" PRId32
"/%04d -- "
415 tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour, tms->tm_min,
418 "----------------------------------------------"
419 "---------------------\n");
422 if (!PerCentEncodingSetup(
de_ctx->
ea)) {
424 "Error compiling regex; can't check for percent encoding in normalized "
430 SCLogInfo(
"Conf parameter \"engine-analysis.rules\" not found. "
431 "Defaulting to not printing the rules analysis report.");
434 SCLogInfo(
"Engine-Analysis for rules disabled in conf file.");
443 fprintf(fp,
"============\n"
444 "Summary:\n============\n");
452 "%s, smallest pattern %u byte(s), longest pattern %u byte(s), number of patterns "
453 "%u, avg pattern len %.2f byte(s)\n",
455 (
float)((
double)f->
tot / (
float)f->
cnt));
475 *fp_analysis =
false;
476 *rule_analysis =
false;
480 FatalError(
"Unable to allocate per-engine analysis context");
485 if (cfg_prefix_len > 0) {
489 FatalError(
"Unable to allocate per-engine analysis context name buffer");
497 *fp_analysis = SetupFPAnalyzer(
de_ctx);
498 *rule_analysis = SetupRuleAnalyzer(
de_ctx);
500 if (!(*fp_analysis || *rule_analysis)) {
512 CleanupRuleAnalyzer(
de_ctx);
513 CleanupFPAnalyzer(
de_ctx);
530 static int PerCentEncodingMatch(
EngineAnalysisCtx *ea_ctx, uint8_t *content, uint16_t content_len)
534 pcre2_match_data *match = pcre2_match_data_create_from_pattern(ea_ctx->
percent_re, NULL);
535 ret = pcre2_match(ea_ctx->
percent_re, (PCRE2_SPTR8)content, content_len, 0, 0, match, NULL);
538 }
else if (ret < -1) {
539 SCLogError(
"Error parsing content - %s; error code is %d", content, ret);
542 pcre2_match_data_free(match);
552 if (mpm_sm != NULL) {
590 const int list_type = mpm_sm_list;
599 payload ? (stream ?
"payload and reassembled stream" :
"payload")
600 :
"reassembled stream");
607 }
else if (desc || name) {
644 vsnprintf(
str,
sizeof(
str), fmt, ap);
648 ctx->js_notes = jb_new_array();
650 jb_append_string(
ctx->js_notes,
str);
659 vsnprintf(
str,
sizeof(
str), fmt, ap);
662 if (!
ctx->js_warnings)
663 ctx->js_warnings = jb_new_array();
664 if (
ctx->js_warnings)
665 jb_append_string(
ctx->js_warnings,
str);
668 #define CHECK(pat) if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;
670 static bool LooksLikeHTTPMethod(
const uint8_t *buf, uint16_t
len)
679 static bool LooksLikeHTTPUA(
const uint8_t *buf, uint16_t
len)
681 CHECK(
"User-Agent: ");
682 CHECK(
"\nUser-Agent: ");
688 char pattern_str[1024] =
"";
691 jb_set_string(js,
"pattern", pattern_str);
700 jb_set_uint(js,
"offset", cd->
offset);
703 jb_set_uint(js,
"depth", cd->
depth);
706 jb_set_int(js,
"distance", cd->
distance);
709 jb_set_int(js,
"within", cd->
within);
728 jb_open_array(js,
"matches");
732 jb_set_string(js,
"name", mname);
738 jb_open_object(js,
"content");
741 AnalyzerNote(
ctx, (
char *)
"'fast_pattern:only' option is silently ignored and "
742 "is interpreted as regular 'fast_pattern'");
746 (
char *)
"pattern looks like it inspects HTTP, use http.request_line or "
747 "http.method and http.uri instead for improved performance");
751 (
char *)
"pattern looks like it inspects HTTP, use http.user_agent "
752 "or http.header for improved performance");
755 AnalyzerNote(
ctx, (
char *)
"'within' option for pattern w/o previous content "
756 "was converted to 'depth'");
759 AnalyzerNote(
ctx, (
char *)
"'distance' option for pattern w/o previous content "
760 "was converted to 'offset'");
768 jb_open_object(js,
"pcre");
773 (
char *)
"'/B' (rawbytes) option is a no-op and is silently ignored");
780 jb_open_object(js,
"byte_jump");
781 jb_set_uint(js,
"nbytes", cd->
nbytes);
782 jb_set_int(js,
"offset", cd->
offset);
783 jb_set_uint(js,
"multiplier", cd->
multiplier);
787 jb_set_string(js,
"base",
"unset");
790 jb_set_string(js,
"base",
"oct");
793 jb_set_string(js,
"base",
"dec");
796 jb_set_string(js,
"base",
"hex");
799 jb_open_array(js,
"flags");
801 jb_append_string(js,
"from_beginning");
803 jb_append_string(js,
"little_endian");
805 jb_append_string(js,
"big_endian");
807 jb_append_string(js,
"string");
809 jb_append_string(js,
"relative");
811 jb_append_string(js,
"align");
813 jb_append_string(js,
"dce");
815 jb_append_string(js,
"offset_be");
817 jb_append_string(js,
"from_end");
825 jb_open_object(js,
"byte_test");
826 jb_set_uint(js,
"nbytes", cd->
nbytes);
827 jb_set_int(js,
"offset", cd->
offset);
830 jb_set_string(js,
"base",
"unset");
833 jb_set_string(js,
"base",
"oct");
836 jb_set_string(js,
"base",
"dec");
839 jb_set_string(js,
"base",
"hex");
842 jb_open_array(js,
"flags");
844 jb_append_string(js,
"little_endian");
846 jb_append_string(js,
"big_endian");
848 jb_append_string(js,
"string");
850 jb_append_string(js,
"relative");
852 jb_append_string(js,
"dce");
860 jb_open_object(js,
"ipopts");
862 jb_set_string(js,
"option", flag);
869 jb_open_object(js,
"flowbits");
872 jb_set_string(js,
"cmd",
"isset");
875 jb_set_string(js,
"cmd",
"isnotset");
878 jb_set_string(js,
"cmd",
"set");
881 jb_set_string(js,
"cmd",
"unset");
884 jb_set_string(js,
"cmd",
"toggle");
888 jb_open_array(js,
"names");
894 const char *varname =
896 jb_append_string(js, varname);
901 jb_set_string(js,
"operator",
"or");
909 jb_open_object(js,
"ack");
910 jb_set_uint(js,
"number", cd->
ack);
916 jb_open_object(js,
"seq");
917 jb_set_uint(js,
"number", cd->
seq);
923 jb_open_object(js,
"tcp_mss");
924 SCDetectU16ToJson(js, cd);
930 jb_open_object(js,
"id");
931 jb_set_uint(js,
"number",
SCNtohs(cd->
id));
952 ctx.js = jb_new_object();
957 jb_set_uint(
ctx.js,
"id", s->
id);
958 jb_set_uint(
ctx.js,
"gid", s->
gid);
959 jb_set_uint(
ctx.js,
"rev", s->
rev);
960 jb_set_string(
ctx.js,
"msg", s->
msg);
963 jb_set_string(
ctx.js,
"app_proto", alproto);
965 jb_open_array(
ctx.js,
"requirements");
967 jb_append_string(
ctx.js,
"payload");
970 jb_append_string(
ctx.js,
"no_payload");
973 jb_append_string(
ctx.js,
"flow");
976 jb_append_string(
ctx.js,
"tcp_flags_init_deinit");
979 jb_append_string(
ctx.js,
"tcp_flags_unusual");
982 jb_append_string(
ctx.js,
"engine_event");
985 jb_append_string(
ctx.js,
"real_pkt");
991 jb_set_string(
ctx.js,
"type",
"unset");
994 jb_set_string(
ctx.js,
"type",
"ip_only");
997 jb_set_string(
ctx.js,
"type",
"like_ip_only");
1000 jb_set_string(
ctx.js,
"type",
"pd_only");
1003 jb_set_string(
ctx.js,
"type",
"de_only");
1006 jb_set_string(
ctx.js,
"type",
"pkt");
1009 jb_set_string(
ctx.js,
"type",
"pkt_stream");
1012 jb_set_string(
ctx.js,
"type",
"stream");
1015 jb_set_string(
ctx.js,
"type",
"app_layer");
1018 jb_set_string(
ctx.js,
"type",
"app_tx");
1021 jb_set_string(
ctx.js,
"type",
"error");
1025 jb_open_array(
ctx.js,
"flags");
1027 jb_append_string(
ctx.js,
"src_any");
1030 jb_append_string(
ctx.js,
"dst_any");
1033 jb_append_string(
ctx.js,
"sp_any");
1036 jb_append_string(
ctx.js,
"dp_any");
1039 jb_append_string(
ctx.js,
"noalert");
1042 jb_append_string(
ctx.js,
"dsize");
1045 jb_append_string(
ctx.js,
"applayer");
1048 jb_append_string(
ctx.js,
"need_packet");
1051 jb_append_string(
ctx.js,
"need_stream");
1054 jb_append_string(
ctx.js,
"negated_mpm");
1057 jb_append_string(
ctx.js,
"flush");
1060 jb_append_string(
ctx.js,
"need_flowvar");
1063 jb_append_string(
ctx.js,
"filestore");
1066 jb_append_string(
ctx.js,
"toserver");
1069 jb_append_string(
ctx.js,
"toclient");
1072 jb_append_string(
ctx.js,
"tlsstore");
1075 jb_append_string(
ctx.js,
"bypass");
1078 jb_append_string(
ctx.js,
"prefilter");
1081 jb_append_string(
ctx.js,
"src_is_target");
1084 jb_append_string(
ctx.js,
"dst_is_target");
1091 jb_open_array(
ctx.js,
"pkt_engines");
1093 for ( ; pkt != NULL; pkt = pkt->
next) {
1108 jb_start_object(
ctx.js);
1109 jb_set_string(
ctx.js,
"name", name);
1110 jb_set_bool(
ctx.js,
"is_mpm", pkt->
mpm);
1112 jb_open_array(
ctx.js,
"transforms");
1114 jb_start_object(
ctx.js);
1115 jb_set_string(
ctx.js,
"name",
1128 jb_open_array(
ctx.js,
"frame_engines");
1130 for (; frame != NULL; frame = frame->
next) {
1132 jb_start_object(
ctx.js);
1133 jb_set_string(
ctx.js,
"name", name);
1134 jb_set_bool(
ctx.js,
"is_mpm", frame->
mpm);
1136 jb_open_array(
ctx.js,
"transforms");
1138 jb_start_object(
ctx.js);
1139 jb_set_string(
ctx.js,
"name",
1151 bool has_stream =
false;
1152 bool has_client_body_mpm =
false;
1153 bool has_file_data_mpm =
false;
1155 jb_open_array(
ctx.js,
"engines");
1157 for ( ; app != NULL; app = app->
next) {
1172 }
else if (app->
mpm && strcmp(name,
"http_client_body") == 0) {
1173 has_client_body_mpm =
true;
1174 }
else if (app->
mpm && strcmp(name,
"file_data") == 0) {
1175 has_file_data_mpm =
true;
1178 jb_start_object(
ctx.js);
1179 jb_set_string(
ctx.js,
"name", name);
1180 const char *direction = app->
dir == 0 ?
"toserver" :
"toclient";
1181 jb_set_string(
ctx.js,
"direction", direction);
1182 jb_set_bool(
ctx.js,
"is_mpm", app->
mpm);
1187 jb_open_array(
ctx.js,
"transforms");
1189 jb_start_object(
ctx.js);
1190 jb_set_string(
ctx.js,
"name",
1204 if (has_stream && has_client_body_mpm)
1205 AnalyzerNote(&
ctx, (
char *)
"mpm in http_client_body combined with stream match leads to stream buffering");
1206 if (has_stream && has_file_data_mpm)
1207 AnalyzerNote(&
ctx, (
char *)
"mpm in file_data combined with stream match leads to stream buffering");
1210 jb_open_object(
ctx.js,
"lists");
1220 if (pkt_mpm || app_mpm) {
1221 jb_open_object(
ctx.js,
"mpm");
1229 jb_set_string(
ctx.js,
"buffer", name);
1236 switch (smd->
type) {
1240 DumpContent(
ctx.js, cd);
1252 jb_open_object(
ctx.js,
"prefilter");
1259 jb_set_string(
ctx.js,
"buffer", name);
1261 jb_set_string(
ctx.js,
"name", mname);
1265 if (
ctx.js_warnings) {
1266 jb_close(
ctx.js_warnings);
1267 jb_set_object(
ctx.js,
"warnings",
ctx.js_warnings);
1268 jb_free(
ctx.js_warnings);
1269 ctx.js_warnings = NULL;
1272 jb_close(
ctx.js_notes);
1273 jb_set_object(
ctx.js,
"notes",
ctx.js_notes);
1274 jb_free(
ctx.js_notes);
1275 ctx.js_notes = NULL;
1279 const char *filename =
"rules.json";
1281 char json_path[PATH_MAX] =
"";
1282 snprintf(json_path,
sizeof(json_path),
"%s/%s%s", log_dir,
1286 FILE *fp = fopen(json_path,
"a");
1288 fwrite(jb_ptr(
ctx.js), jb_len(
ctx.js), 1, fp);
1302 JsonBuilder *root_jb = jb_new_object();
1306 jb_open_array(root_jb,
"buffers");
1310 char str[1024] =
"";
1314 JsonBuilder *jb = arrays[p->
sm_list];
1315 if (arrays[p->
sm_list] == NULL) {
1316 jb = arrays[p->
sm_list] = jb_new_object();
1322 jb_set_string(jb,
"name", name);
1323 jb_set_uint(jb,
"list_id", p->
sm_list);
1325 jb_open_array(jb,
"patterns");
1328 jb_start_object(jb);
1329 jb_set_string(jb,
"pattern",
str);
1331 jb_set_uint(jb,
"cnt", p->
cnt);
1332 jb_set_uint(jb,
"mpm", p->
mpm);
1333 jb_open_object(jb,
"flags");
1344 JsonBuilder *jb = arrays[i];
1351 jb_append_object(root_jb, jb);
1357 const char *filename =
"patterns.json";
1359 char json_path[PATH_MAX] =
"";
1360 snprintf(json_path,
sizeof(json_path),
"%s/%s%s", log_dir,
1364 FILE *fp = fopen(json_path,
"a");
1366 fwrite(jb_ptr(root_jb), jb_len(root_jb), 1, fp);
1387 EngineAnalysisItemsReset(ea_ctx);
1395 FatalError(
"Unable to allocate analysis scratch pad");
1405 analyzer_item->
item_id = (uint16_t)item_id;
1406 if (analyzer_item->
item_id == -1) {
1408 FatalError(
"unable to initialize engine-analysis table: detect buffer \"%s\" not "
1441 uint32_t rule_bidirectional = 0;
1442 uint32_t rule_pcre = 0;
1443 uint32_t rule_pcre_http = 0;
1444 uint32_t rule_content = 0;
1445 uint32_t rule_flow = 0;
1446 uint32_t rule_flags = 0;
1447 uint32_t rule_flow_toserver = 0;
1448 uint32_t rule_flow_toclient = 0;
1449 uint32_t rule_flow_nostream = 0;
1450 uint32_t rule_ipv4_only = 0;
1451 uint32_t rule_ipv6_only = 0;
1452 uint32_t rule_flowbits = 0;
1453 uint32_t rule_flowint = 0;
1454 uint32_t rule_content_http = 0;
1455 uint32_t rule_content_offset_depth = 0;
1456 int32_t list_id = 0;
1457 uint32_t rule_warning = 0;
1458 uint32_t stream_buf = 0;
1459 uint32_t packet_buf = 0;
1460 uint32_t file_store = 0;
1461 uint32_t warn_pcre_no_content = 0;
1462 uint32_t warn_pcre_http_content = 0;
1463 uint32_t warn_pcre_http = 0;
1464 uint32_t warn_content_http_content = 0;
1465 uint32_t warn_content_http = 0;
1466 uint32_t warn_tcp_no_flow = 0;
1467 uint32_t warn_client_ports = 0;
1468 uint32_t warn_direction = 0;
1469 uint32_t warn_method_toclient = 0;
1470 uint32_t warn_method_serverbody = 0;
1471 uint32_t warn_pcre_method = 0;
1472 uint32_t warn_encoding_norm_http_buf = 0;
1473 uint32_t warn_file_store_not_present = 0;
1474 uint32_t warn_offset_depth_pkt_stream = 0;
1475 uint32_t warn_offset_depth_alproto = 0;
1476 uint32_t warn_non_alproto_fp_for_alproto_sig = 0;
1477 uint32_t warn_no_direction = 0;
1478 uint32_t warn_both_direction = 0;
1480 EngineAnalysisItemsInit(
de_ctx->
ea);
1486 rule_bidirectional = 1;
1500 rule_ipv4_only += 1;
1503 rule_ipv6_only += 1;
1511 if (item_slot == -1) {
1519 if (item_slot == -1) {
1524 rule_content_offset_depth++;
1530 rule_content_http++;
1537 warn_encoding_norm_http_buf += 1;
1544 rule_flow_toserver = 1;
1547 rule_flow_toclient = 1;
1552 rule_flow_nostream = 1;
1577 warn_file_store_not_present = 1;
1580 if (rule_pcre > 0 && rule_content == 0 && rule_content_http == 0) {
1582 warn_pcre_no_content = 1;
1585 if (rule_content_http > 0 && rule_pcre > 0 && rule_pcre_http == 0) {
1587 warn_pcre_http_content = 1;
1593 if (rule_content > 0 && rule_content_http > 0) {
1595 warn_content_http_content = 1;
1599 warn_content_http = 1;
1601 if (rule_content == 1) {
1606 (rule_content || rule_content_http || rule_pcre || rule_pcre_http || rule_flowbits ||
1609 warn_tcp_no_flow = 1;
1611 if (rule_flow && !rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)
1616 warn_client_ports = 1;
1619 if (rule_flow && rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)) {
1624 if (*http_method_item_seen_ptr) {
1625 if (rule_flow && rule_flow_toclient) {
1627 warn_method_toclient = 1;
1629 if (*http_server_body_item_seen_ptr) {
1631 warn_method_serverbody = 1;
1633 if (rule_content == 0 && rule_content_http == 0 && (rule_pcre > 0 || rule_pcre_http > 0)) {
1635 warn_pcre_method = 1;
1638 if (rule_content_offset_depth > 0 && stream_buf && packet_buf) {
1640 warn_offset_depth_pkt_stream = 1;
1644 warn_offset_depth_alproto = 1;
1649 warn_non_alproto_fp_for_alproto_sig = 1;
1653 warn_no_direction += 1;
1660 warn_both_direction += 1;
1665 if (!rule_warnings_only || (rule_warnings_only && rule_warning > 0)) {
1667 fprintf(fp,
"== Sid: %u ==\n", s->
id);
1668 fprintf(fp,
"%s\n", line);
1674 fprintf(fp,
" Rule is ip only.\n");
1677 fprintf(fp,
" Rule is like ip only.\n");
1680 fprintf(fp,
" Rule is PD only.\n");
1683 fprintf(fp,
" Rule is DE only.\n");
1686 fprintf(fp,
" Rule is packet inspecting.\n");
1689 fprintf(fp,
" Rule is packet and stream inspecting.\n");
1692 fprintf(fp,
" Rule is stream inspecting.\n");
1695 fprintf(fp,
" Rule is app-layer inspecting.\n");
1698 fprintf(fp,
" Rule is App-layer TX inspecting.\n");
1704 fprintf(fp,
" Rule is IPv6 only.\n");
1706 fprintf(fp,
" Rule is IPv4 only.\n");
1708 fprintf(fp,
" Rule matches on packets.\n");
1709 if (!rule_flow_nostream && stream_buf &&
1710 (rule_flow || rule_flowbits || rule_flowint || rule_content || rule_pcre)) {
1711 fprintf(fp,
" Rule matches on reassembled stream.\n");
1716 fprintf(fp,
" Rule matches on %s buffer.\n", ai->
display_name);
1722 if (rule_content || rule_content_http || rule_pcre || rule_pcre_http) {
1724 " Rule contains %u content options, %u http content options, %u pcre "
1725 "options, and %u pcre options with http modifiers.\n",
1726 rule_content, rule_content_http, rule_pcre, rule_pcre_http);
1731 fprintf(fp,
" Prefilter on: %s.\n",
1734 EngineAnalysisRulesPrintFP(
de_ctx, s);
1738 if (warn_pcre_no_content ) {
1739 fprintf(fp,
" Warning: Rule uses pcre without a content option present.\n"
1740 " -Consider adding a content to improve performance of this "
1743 if (warn_pcre_http_content ) {
1744 fprintf(fp,
" Warning: Rule uses content options with http_* and pcre options "
1745 "without http modifiers.\n"
1746 " -Consider adding http pcre modifier.\n");
1748 else if (warn_pcre_http ) {
1749 fprintf(fp,
" Warning: Rule app layer protocol is http, but pcre options do not "
1750 "have http modifiers.\n"
1751 " -Consider adding http pcre modifiers.\n");
1753 if (warn_content_http_content ) {
1755 " Warning: Rule contains content with http_* and content without http_*.\n"
1756 " -Consider adding http content modifiers.\n");
1758 if (warn_content_http ) {
1759 fprintf(fp,
" Warning: Rule app layer protocol is http, but content options do not "
1760 "have http_* modifiers.\n"
1761 " -Consider adding http content modifiers.\n");
1763 if (rule_content == 1) {
1766 if (warn_encoding_norm_http_buf) {
1767 fprintf(fp,
" Warning: Rule may contain percent encoded content for a normalized "
1768 "http buffer match.\n");
1770 if (warn_tcp_no_flow
1772 fprintf(fp,
" Warning: TCP rule without a flow or flags option.\n"
1773 " -Consider adding flow or flags to improve performance of "
1776 if (warn_client_ports
1781 " Warning: Rule contains ports or port variables only on the client side.\n"
1782 " -Flow direction possibly inconsistent with rule.\n");
1784 if (warn_direction ) {
1785 fprintf(fp,
" Warning: Rule is bidirectional and has a flow option with a specific "
1788 if (warn_method_toclient ) {
1789 fprintf(fp,
" Warning: Rule uses content or pcre for http_method with "
1790 "flow:to_client or from_server\n");
1792 if (warn_method_serverbody ) {
1793 fprintf(fp,
" Warning: Rule uses content or pcre for http_method with content or "
1794 "pcre for http_server_body.\n");
1796 if (warn_pcre_method
1798 fprintf(fp,
" Warning: Rule uses pcre with only a http_method content; possible "
1799 "performance issue.\n");
1801 if (warn_offset_depth_pkt_stream) {
1802 fprintf(fp,
" Warning: Rule has depth"
1803 "/offset with raw content keywords. Please note the "
1804 "offset/depth will be checked against both packet "
1805 "payloads and stream. If you meant to have the offset/"
1806 "depth checked against just the payload, you can update "
1807 "the signature as \"alert tcp-pkt...\"\n");
1809 if (warn_offset_depth_alproto) {
1811 " Warning: Rule has "
1812 "offset/depth set along with a match on a specific "
1813 "app layer protocol - %d. This can lead to FNs if we "
1814 "have a offset/depth content match on a packet payload "
1815 "before we can detect the app layer protocol for the "
1819 if (warn_non_alproto_fp_for_alproto_sig) {
1820 fprintf(fp,
" Warning: Rule app layer "
1821 "protocol is http, but the fast_pattern is set on the raw "
1822 "stream. Consider adding fast_pattern over a http "
1823 "buffer for increased performance.");
1825 if (warn_no_direction) {
1826 fprintf(fp,
" Warning: Rule has no direction indicator.\n");
1828 if (warn_both_direction) {
1829 fprintf(fp,
" Warning: Rule is inspecting both the request and the response.\n");
1831 if (warn_file_store_not_present) {
1832 fprintf(fp,
" Warning: Rule requires file-store but the output file-store is not "
1835 if (rule_warning == 0) {
1836 fprintf(fp,
" No warnings for this rule.\n");