42 static int rule_warnings_only = 0;
43 static FILE *rule_engine_analysis_FD = NULL;
44 static FILE *fp_engine_analysis_FD = NULL;
45 static pcre *percent_re = NULL;
46 static pcre_extra *percent_re_study = NULL;
47 static char log_path[PATH_MAX];
74 { 0,
false,
false,
true,
"http_uri",
"http uri" },
75 { 0,
false,
false,
false,
"http_raw_uri",
"http raw uri" },
76 { 0,
false,
true,
false,
"http_method",
"http method" },
77 { 0,
false,
false,
false,
"http_request_line",
"http request line" },
78 { 0,
false,
false,
false,
"http_client_body",
"http client body" },
79 { 0,
false,
false,
true,
"http_header",
"http header" },
80 { 0,
false,
false,
false,
"http_raw_header",
"http raw header" },
81 { 0,
false,
false,
true,
"http_cookie",
"http cookie" },
82 { 0,
false,
false,
false,
"http_user_agent",
"http user agent" },
83 { 0,
false,
false,
false,
"http_host",
"http host" },
84 { 0,
false,
false,
false,
"http_raw_host",
"http raw host" },
85 { 0,
false,
false,
false,
"http_accept_enc",
"http accept enc" },
86 { 0,
false,
false,
false,
"http_referer",
"http referer" },
87 { 0,
false,
false,
false,
"http_content_type",
"http content type" },
88 { 0,
false,
false,
false,
"http_header_names",
"http header names" },
91 { 0,
false,
false,
false,
"http_stat_msg",
"http stat msg" },
92 { 0,
false,
false,
false,
"http_stat_code",
"http stat code" },
93 { 0,
false,
true,
false,
"file_data",
"http server body"},
96 { 0,
false,
false,
false,
"http_request_line",
"http request line" },
97 { 0,
false,
false,
false,
"http_accept",
"http accept" },
98 { 0,
false,
false,
false,
"http_accept_lang",
"http accept lang" },
99 { 0,
false,
false,
false,
"http_connection",
"http connection" },
100 { 0,
false,
false,
false,
"http_content_len",
"http content len" },
101 { 0,
false,
false,
false,
"http_protocol",
"http protocol" },
102 { 0,
false,
false,
false,
"http_start",
"http start" },
105 { 0,
false,
false,
false,
"http_response_line",
"http response line" },
106 { 0,
false,
false,
false,
"http.server",
"http server" },
107 { 0,
false,
false,
false,
"http.location",
"http location" },
127 { .bufname =
"file_data"}
132 static void FpPatternStatsAdd(
int list, uint16_t patlen)
141 else if (patlen < f->min)
153 int fast_pattern_set = 0;
154 int fast_pattern_only_set = 0;
155 int fast_pattern_chop_set = 0;
159 if (mpm_sm != NULL) {
162 fast_pattern_set = 1;
164 fast_pattern_only_set = 1;
166 fast_pattern_chop_set = 1;
171 fprintf(fp_engine_analysis_FD,
"== Sid: %u ==\n", s->
id);
172 fprintf(fp_engine_analysis_FD,
"%s\n", line);
174 fprintf(fp_engine_analysis_FD,
" Fast Pattern analysis:\n");
176 fprintf(fp_engine_analysis_FD,
" Prefilter on: %s\n",
178 fprintf(fp_engine_analysis_FD,
"\n");
183 fprintf(fp_engine_analysis_FD,
" No content present\n");
184 fprintf(fp_engine_analysis_FD,
"\n");
188 fprintf(fp_engine_analysis_FD,
" Fast pattern matcher: ");
191 fprintf(fp_engine_analysis_FD,
"content\n");
196 fprintf(fp_engine_analysis_FD,
"%s (%s)\n", desc, name);
201 fprintf(fp_engine_analysis_FD,
" Flags:");
203 fprintf(fp_engine_analysis_FD,
" Offset");
206 fprintf(fp_engine_analysis_FD,
" Depth");
210 fprintf(fp_engine_analysis_FD,
" Within");
214 fprintf(fp_engine_analysis_FD,
" Distance");
218 fprintf(fp_engine_analysis_FD,
" Nocase");
222 fprintf(fp_engine_analysis_FD,
" Negated");
226 fprintf(fp_engine_analysis_FD,
" None");
227 fprintf(fp_engine_analysis_FD,
"\n");
229 fprintf(fp_engine_analysis_FD,
" Fast pattern set: %s\n", fast_pattern_set ?
"yes" :
"no");
230 fprintf(fp_engine_analysis_FD,
" Fast pattern only set: %s\n",
231 fast_pattern_only_set ?
"yes" :
"no");
232 fprintf(fp_engine_analysis_FD,
" Fast pattern chop set: %s\n",
233 fast_pattern_chop_set ?
"yes" :
"no");
234 if (fast_pattern_chop_set) {
235 fprintf(fp_engine_analysis_FD,
" Fast pattern offset, length: %u, %u\n",
246 fprintf(fp_engine_analysis_FD,
" Original content: ");
248 fprintf(fp_engine_analysis_FD,
"\n");
250 if (fast_pattern_chop_set) {
259 fprintf(fp_engine_analysis_FD,
" Final content: ");
261 fprintf(fp_engine_analysis_FD,
"\n");
263 FpPatternStatsAdd(list_type, patlen);
265 fprintf(fp_engine_analysis_FD,
" Final content: ");
267 fprintf(fp_engine_analysis_FD,
"\n");
269 FpPatternStatsAdd(list_type, patlen);
273 fprintf(fp_engine_analysis_FD,
"\n");
285 int fp_engine_analysis_set = 0;
287 if ((
ConfGetBool(
"engine-analysis.rules-fast-pattern",
288 &fp_engine_analysis_set)) == 0) {
292 if (fp_engine_analysis_set == 0)
297 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir,
298 "rules_fast_pattern.txt");
300 fp_engine_analysis_FD = fopen(log_path,
"w");
301 if (fp_engine_analysis_FD == NULL) {
307 SCLogInfo(
"Engine-Analysis for fast_pattern printed to file - %s",
312 gettimeofday(&tval, NULL);
315 fprintf(fp_engine_analysis_FD,
"----------------------------------------------"
316 "---------------------\n");
317 fprintf(fp_engine_analysis_FD,
"Date: %" PRId32
"/%" PRId32
"/%04d -- "
319 tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour,
320 tms->tm_min, tms->tm_sec);
321 fprintf(fp_engine_analysis_FD,
"----------------------------------------------"
322 "---------------------\n");
324 memset(&fp_pattern_stats, 0,
sizeof(fp_pattern_stats));
341 }
else if (value && strcasecmp(value,
"warnings-only") == 0) {
343 rule_warnings_only = 1;
348 snprintf(log_path,
sizeof(log_path),
"%s/%s", log_dir,
"rules_analysis.txt");
349 rule_engine_analysis_FD = fopen(log_path,
"w");
350 if (rule_engine_analysis_FD == NULL) {
355 SCLogInfo(
"Engine-Analysis for rules printed to file - %s",
360 gettimeofday(&tval, NULL);
363 fprintf(rule_engine_analysis_FD,
"----------------------------------------------"
364 "---------------------\n");
365 fprintf(rule_engine_analysis_FD,
"Date: %" PRId32
"/%" PRId32
"/%04d -- "
367 tms->tm_mday, tms->tm_mon + 1, tms->tm_year + 1900, tms->tm_hour,
368 tms->tm_min, tms->tm_sec);
369 fprintf(rule_engine_analysis_FD,
"----------------------------------------------"
370 "---------------------\n");
374 fprintf(rule_engine_analysis_FD,
"Error compiling regex; can't check for percent encoding in normalized http content.\n");
379 SCLogInfo(
"Conf parameter \"engine-analysis.rules\" not found. "
380 "Defaulting to not printing the rules analysis report.");
383 SCLogInfo(
"Engine-Analysis for rules disabled in conf file.");
391 fprintf(fp_engine_analysis_FD,
"============\n"
392 "Summary:\n============\n");
399 fprintf(fp_engine_analysis_FD,
400 "%s, smallest pattern %u byte(s), longest pattern %u byte(s), number of patterns %u, avg pattern len %.2f byte(s)\n",
404 if (fp_engine_analysis_FD != NULL) {
405 fclose(fp_engine_analysis_FD);
406 fp_engine_analysis_FD = NULL;
415 if (rule_engine_analysis_FD != NULL) {
416 SCLogInfo(
"Engine-Analysis for rules printed to file - %s", log_path);
417 fclose(rule_engine_analysis_FD);
418 rule_engine_analysis_FD = NULL;
429 #define DETECT_PERCENT_ENCODING_REGEX "%[0-9|a-f|A-F]{2}"
430 const char *eb = NULL;
435 if (percent_re == NULL) {
441 percent_re_study = pcre_study(percent_re, 0, &eb);
458 #define MAX_ENCODED_CHARS 240
462 ret = pcre_exec(percent_re, percent_re_study, (
char *)content, content_len, 0, 0, ov,
MAX_ENCODED_CHARS);
478 if (mpm_sm != NULL) {
503 fprintf(rule_engine_analysis_FD,
" Fast Pattern \"");
506 fprintf(rule_engine_analysis_FD,
" Fast Pattern \"");
511 fprintf(rule_engine_analysis_FD,
"\" on \"");
521 fprintf(rule_engine_analysis_FD,
"%s",
522 payload ? (stream ?
"payload and reassembled stream" :
"payload") :
"reassembled stream");
528 fprintf(rule_engine_analysis_FD,
"%s (%s)", desc, name);
529 }
else if (desc || name) {
530 fprintf(rule_engine_analysis_FD,
"%s", desc ? desc : name);
535 fprintf(rule_engine_analysis_FD,
"\" ");
537 fprintf(rule_engine_analysis_FD,
"(with %d transform(s)) ",
540 fprintf(rule_engine_analysis_FD,
"buffer.\n");
548 fprintf(rule_engine_analysis_FD,
"== Sid: UNKNOWN ==\n");
549 fprintf(rule_engine_analysis_FD,
"%s\n", line);
550 fprintf(rule_engine_analysis_FD,
" FAILURE: invalid rule.\n");
551 fprintf(rule_engine_analysis_FD,
" File: %s.\n", file);
552 fprintf(rule_engine_analysis_FD,
" Line: %d.\n", lineno);
553 fprintf(rule_engine_analysis_FD,
"\n");
569 vsnprintf(
str,
sizeof(
str), fmt, ap);
573 ctx->js_notes = jb_new_array();
575 jb_append_string(ctx->js_notes,
str);
584 vsnprintf(
str,
sizeof(
str), fmt, ap);
587 if (!ctx->js_warnings)
588 ctx->js_warnings = jb_new_array();
589 if (ctx->js_warnings)
590 jb_append_string(ctx->js_warnings,
str);
593 #define CHECK(pat) if (strlen((pat)) <= len && memcmp((pat), buf, MIN(len, strlen((pat)))) == 0) return true;
595 static bool LooksLikeHTTPMethod(
const uint8_t *buf, uint16_t
len)
604 static bool LooksLikeHTTPUA(
const uint8_t *buf, uint16_t
len)
606 CHECK(
"User-Agent: ");
607 CHECK(
"\nUser-Agent: ");
616 jb_open_array(js,
"matches");
620 jb_set_string(js,
"name", mname);
626 jb_open_object(js,
"content");
634 jb_set_uint(js,
"offset", cd->
offset);
637 jb_set_uint(js,
"depth", cd->
depth);
640 jb_set_uint(js,
"distance", cd->
distance);
643 jb_set_uint(js,
"within", cd->
within);
647 AnalyzerNote(ctx, (
char *)
"'fast_pattern:only' option is silently ignored and "
648 "is interpreted as regular 'fast_pattern'");
652 (
char *)
"pattern looks like it inspects HTTP, use http_request_line or "
653 "http_method and http_uri instead for improved performance");
657 (
char *)
"pattern looks like it inspects HTTP, use http_user_agent "
658 "or http_header for improved performance");
680 ctx.
js = jb_new_object();
684 jb_set_string(ctx.
js,
"raw", s->
sig_str);
685 jb_set_uint(ctx.
js,
"id", s->
id);
686 jb_set_uint(ctx.
js,
"gid", s->
gid);
687 jb_set_uint(ctx.
js,
"rev", s->
rev);
688 jb_set_string(ctx.
js,
"msg", s->
msg);
691 jb_set_string(ctx.
js,
"app_proto", alproto);
693 jb_open_array(ctx.
js,
"requirements");
695 jb_append_string(ctx.
js,
"payload");
698 jb_append_string(ctx.
js,
"no_payload");
701 jb_append_string(ctx.
js,
"flow");
704 jb_append_string(ctx.
js,
"tcp_flags_init_deinit");
707 jb_append_string(ctx.
js,
"tcp_flags_unusual");
710 jb_append_string(ctx.
js,
"dcerpc");
713 jb_append_string(ctx.
js,
"engine_event");
717 jb_open_array(ctx.
js,
"flags");
719 jb_append_string(ctx.
js,
"src_any");
722 jb_append_string(ctx.
js,
"dst_any");
725 jb_append_string(ctx.
js,
"sp_any");
728 jb_append_string(ctx.
js,
"dp_any");
731 jb_append_string(ctx.
js,
"noalert");
734 jb_append_string(ctx.
js,
"dsize");
737 jb_append_string(ctx.
js,
"applayer");
740 jb_append_string(ctx.
js,
"ip_only");
743 jb_append_string(ctx.
js,
"need_packet");
746 jb_append_string(ctx.
js,
"need_stream");
749 jb_append_string(ctx.
js,
"negated_mpm");
752 jb_append_string(ctx.
js,
"flush");
755 jb_append_string(ctx.
js,
"need_flowvar");
758 jb_append_string(ctx.
js,
"filestore");
761 jb_append_string(ctx.
js,
"toserver");
764 jb_append_string(ctx.
js,
"toclient");
767 jb_append_string(ctx.
js,
"tlsstore");
770 jb_append_string(ctx.
js,
"bypass");
773 jb_append_string(ctx.
js,
"prefilter");
776 jb_append_string(ctx.
js,
"proto_detect_only");
779 jb_append_string(ctx.
js,
"src_is_target");
782 jb_append_string(ctx.
js,
"dst_is_target");
786 jb_open_array(ctx.
js,
"pkt_engines");
788 for ( ; pkt != NULL; pkt = pkt->
next) {
803 jb_start_object(ctx.
js);
804 jb_set_string(ctx.
js,
"name", name);
805 jb_set_bool(ctx.
js,
"is_mpm", pkt->
mpm);
806 DumpMatches(&ctx, ctx.
js, pkt->
smd);
812 bool has_stream =
false;
813 bool has_client_body_mpm =
false;
814 bool has_file_data_mpm =
false;
816 jb_open_array(ctx.
js,
"engines");
818 for ( ; app != NULL; app = app->
next) {
833 }
else if (app->
mpm && strcmp(name,
"http_client_body") == 0) {
834 has_client_body_mpm =
true;
835 }
else if (app->
mpm && strcmp(name,
"file_data") == 0) {
836 has_file_data_mpm =
true;
839 jb_start_object(ctx.
js);
840 jb_set_string(ctx.
js,
"name", name);
841 const char *direction = app->
dir == 0 ?
"toserver" :
"toclient";
842 jb_set_string(ctx.
js,
"direction", direction);
843 jb_set_bool(ctx.
js,
"is_mpm", app->
mpm);
845 jb_set_uint(ctx.
js,
"progress", app->
progress);
846 DumpMatches(&ctx, ctx.
js, app->
smd);
851 if (has_stream && has_client_body_mpm)
852 AnalyzerNote(&ctx, (
char *)
"mpm in http_client_body combined with stream match leads to stream buffering");
853 if (has_stream && has_file_data_mpm)
854 AnalyzerNote(&ctx, (
char *)
"mpm in file_data combined with stream match leads to stream buffering");
857 jb_open_object(ctx.
js,
"lists");
879 const char *filename =
"rules.json";
881 char json_path[PATH_MAX] =
"";
882 snprintf(json_path,
sizeof(json_path),
"%s/%s", log_dir, filename);
885 FILE *fp = fopen(json_path,
"a");
887 fwrite(jb_ptr(ctx.
js), jb_len(ctx.
js), 1, fp);
896 static void EngineAnalysisItemsReset(
void)
903 static void EngineAnalysisItemsInit(
void)
905 static bool analyzer_init =
false;
908 EngineAnalysisItemsReset();
918 if (analyzer_item->
item_id == -1) {
921 "unable to initialize engine-analysis table: detect buffer \"%s\" not recognized.",
936 analyzer_init =
true;
953 uint32_t rule_bidirectional = 0;
954 uint32_t rule_pcre = 0;
955 uint32_t rule_pcre_http = 0;
956 uint32_t rule_content = 0;
957 uint32_t rule_flow = 0;
958 uint32_t rule_flags = 0;
959 uint32_t rule_flow_toserver = 0;
960 uint32_t rule_flow_toclient = 0;
961 uint32_t rule_flow_nostream = 0;
962 uint32_t rule_ipv4_only = 0;
963 uint32_t rule_ipv6_only = 0;
964 uint32_t rule_flowbits = 0;
965 uint32_t rule_flowint = 0;
966 uint32_t rule_content_http = 0;
967 uint32_t rule_content_offset_depth = 0;
969 uint32_t rule_warning = 0;
970 uint32_t stream_buf = 0;
971 uint32_t packet_buf = 0;
972 uint32_t file_store = 0;
973 uint32_t warn_pcre_no_content = 0;
974 uint32_t warn_pcre_http_content = 0;
975 uint32_t warn_pcre_http = 0;
976 uint32_t warn_content_http_content = 0;
977 uint32_t warn_content_http = 0;
978 uint32_t warn_tcp_no_flow = 0;
979 uint32_t warn_client_ports = 0;
980 uint32_t warn_direction = 0;
981 uint32_t warn_method_toclient = 0;
982 uint32_t warn_method_serverbody = 0;
983 uint32_t warn_pcre_method = 0;
984 uint32_t warn_encoding_norm_http_buf = 0;
985 uint32_t warn_file_store_not_present = 0;
986 uint32_t warn_offset_depth_pkt_stream = 0;
987 uint32_t warn_offset_depth_alproto = 0;
988 uint32_t warn_non_alproto_fp_for_alproto_sig = 0;
989 uint32_t warn_no_direction = 0;
990 uint32_t warn_both_direction = 0;
992 EngineAnalysisItemsInit();
998 rule_bidirectional = 1;
1012 rule_ipv4_only += 1;
1015 rule_ipv6_only += 1;
1023 if (item_slot == -1) {
1031 if (item_slot == -1) {
1036 rule_content_offset_depth++;
1042 rule_content_http++;
1048 warn_encoding_norm_http_buf += 1;
1055 rule_flow_toserver = 1;
1058 rule_flow_toclient = 1;
1063 rule_flow_nostream = 1;
1089 warn_file_store_not_present = 1;
1092 if (rule_pcre > 0 && rule_content == 0 && rule_content_http == 0) {
1094 warn_pcre_no_content = 1;
1097 if (rule_content_http > 0 && rule_pcre > 0 && rule_pcre_http == 0) {
1099 warn_pcre_http_content = 1;
1106 if (rule_content > 0 && rule_content_http > 0) {
1108 warn_content_http_content = 1;
1112 warn_content_http = 1;
1114 if (rule_content == 1) {
1117 if (rule_flow == 0 && rule_flags == 0
1119 && (rule_content || rule_content_http || rule_pcre || rule_pcre_http || rule_flowbits)) {
1121 warn_tcp_no_flow = 1;
1123 if (rule_flow && !rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)
1128 warn_client_ports = 1;
1131 if (rule_flow && rule_bidirectional && (rule_flow_toserver || rule_flow_toclient)) {
1136 if (*http_method_item_seen_ptr) {
1137 if (rule_flow && rule_flow_toclient) {
1139 warn_method_toclient = 1;
1141 if (*http_server_body_item_seen_ptr) {
1143 warn_method_serverbody = 1;
1145 if (rule_content == 0 && rule_content_http == 0 && (rule_pcre > 0 || rule_pcre_http > 0)) {
1147 warn_pcre_method = 1;
1150 if (rule_content_offset_depth > 0 && stream_buf && packet_buf) {
1152 warn_offset_depth_pkt_stream = 1;
1156 warn_offset_depth_alproto = 1;
1161 warn_non_alproto_fp_for_alproto_sig = 1;
1165 warn_no_direction += 1;
1172 warn_both_direction += 1;
1177 if (!rule_warnings_only || (rule_warnings_only && rule_warning > 0)) {
1178 fprintf(rule_engine_analysis_FD,
"== Sid: %u ==\n", s->
id);
1179 fprintf(rule_engine_analysis_FD,
"%s\n", line);
1183 if (rule_ipv6_only) fprintf(rule_engine_analysis_FD,
" Rule is IPv6 only.\n");
1184 if (rule_ipv4_only) fprintf(rule_engine_analysis_FD,
" Rule is IPv4 only.\n");
1185 if (packet_buf) fprintf(rule_engine_analysis_FD,
" Rule matches on packets.\n");
1186 if (!rule_flow_nostream && stream_buf && (rule_flow || rule_flowbits || rule_content || rule_pcre)) {
1187 fprintf(rule_engine_analysis_FD,
" Rule matches on reassembled stream.\n");
1192 fprintf(rule_engine_analysis_FD,
" Rule matches on %s buffer.\n", ai->
display_name);
1198 if (rule_content || rule_content_http || rule_pcre || rule_pcre_http) {
1199 fprintf(rule_engine_analysis_FD,
" Rule contains %d content options, %d http content options, %d pcre options, and %d pcre options with http modifiers.\n", rule_content, rule_content_http, rule_pcre, rule_pcre_http);
1204 fprintf(rule_engine_analysis_FD,
" Prefilter on: %s.\n",
1207 EngineAnalysisRulesPrintFP(
de_ctx, s);
1211 if (warn_pcre_no_content ) {
1212 fprintf(rule_engine_analysis_FD,
" Warning: Rule uses pcre without a content option present.\n"
1213 " -Consider adding a content to improve performance of this rule.\n");
1215 if (warn_pcre_http_content ) {
1216 fprintf(rule_engine_analysis_FD,
" Warning: Rule uses content options with http_* and pcre options without http modifiers.\n"
1217 " -Consider adding http pcre modifier.\n");
1219 else if (warn_pcre_http ) {
1220 fprintf(rule_engine_analysis_FD,
" Warning: Rule app layer protocol is http, but pcre options do not have http modifiers.\n"
1221 " -Consider adding http pcre modifiers.\n");
1223 if (warn_content_http_content ) {
1224 fprintf(rule_engine_analysis_FD,
" Warning: Rule contains content with http_* and content without http_*.\n"
1225 " -Consider adding http content modifiers.\n");
1227 if (warn_content_http ) {
1228 fprintf(rule_engine_analysis_FD,
" Warning: Rule app layer protocol is http, but content options do not have http_* modifiers.\n"
1229 " -Consider adding http content modifiers.\n");
1231 if (rule_content == 1) {
1234 if (warn_encoding_norm_http_buf) {
1235 fprintf(rule_engine_analysis_FD,
" Warning: Rule may contain percent encoded content for a normalized http buffer match.\n");
1237 if (warn_tcp_no_flow
1239 fprintf(rule_engine_analysis_FD,
" Warning: TCP rule without a flow or flags option.\n"
1240 " -Consider adding flow or flags to improve performance of this rule.\n");
1242 if (warn_client_ports
1246 fprintf(rule_engine_analysis_FD,
" Warning: Rule contains ports or port variables only on the client side.\n"
1247 " -Flow direction possibly inconsistent with rule.\n");
1249 if (warn_direction ) {
1250 fprintf(rule_engine_analysis_FD,
" Warning: Rule is bidirectional and has a flow option with a specific direction.\n");
1252 if (warn_method_toclient ) {
1253 fprintf(rule_engine_analysis_FD,
" Warning: Rule uses content or pcre for http_method with flow:to_client or from_server\n");
1255 if (warn_method_serverbody ) {
1256 fprintf(rule_engine_analysis_FD,
" Warning: Rule uses content or pcre for http_method with content or pcre for http_server_body.\n");
1258 if (warn_pcre_method
1260 fprintf(rule_engine_analysis_FD,
" Warning: Rule uses pcre with only a http_method content; possible performance issue.\n");
1262 if (warn_offset_depth_pkt_stream) {
1263 fprintf(rule_engine_analysis_FD,
" Warning: Rule has depth"
1264 "/offset with raw content keywords. Please note the "
1265 "offset/depth will be checked against both packet "
1266 "payloads and stream. If you meant to have the offset/"
1267 "depth checked against just the payload, you can update "
1268 "the signature as \"alert tcp-pkt...\"\n");
1270 if (warn_offset_depth_alproto) {
1271 fprintf(rule_engine_analysis_FD,
" Warning: Rule has "
1272 "offset/depth set along with a match on a specific "
1273 "app layer protocol - %d. This can lead to FNs if we "
1274 "have a offset/depth content match on a packet payload "
1275 "before we can detect the app layer protocol for the "
1278 if (warn_non_alproto_fp_for_alproto_sig) {
1279 fprintf(rule_engine_analysis_FD,
" Warning: Rule app layer "
1280 "protocol is http, but the fast_pattern is set on the raw "
1281 "stream. Consider adding fast_pattern over a http "
1282 "buffer for increased performance.");
1284 if (warn_no_direction) {
1285 fprintf(rule_engine_analysis_FD,
" Warning: Rule has no direction indicator.\n");
1287 if (warn_both_direction) {
1288 fprintf(rule_engine_analysis_FD,
" Warning: Rule is inspecting both the request and the response.\n");
1290 if (warn_file_store_not_present) {
1291 fprintf(rule_engine_analysis_FD,
" Warning: Rule requires file-store but the output file-store is not enabled.\n");
1293 if (rule_warning == 0) {
1294 fprintf(rule_engine_analysis_FD,
" No warnings for this rule.\n");
1296 fprintf(rule_engine_analysis_FD,
"\n");