Last Modified: Nov 07, 2022
Known Affected Versions:
13.1.0, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 13.1.1, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 13.1.3, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124, 126.96.36.199, 13.1.4, 188.8.131.52, 13.1.5, 184.108.40.206
Opened: Oct 27, 2017 Severity: 3-Major
When using the term 'http_header' as an attribute of a content check, there must be a leading space between it and the content semicolon ';' delimiter. Also, 'http_header' cannot be applied for the second or subsequent content checks if preceding content checks do not have it. It also must be the first attribute of a content check. This example fails validation because there is no space between ';' and 'http_header': alert tcp any any -> any any (content:User-agent;http_header; content:"mortest"; distance:1; nocase; sig_id:100020;) This example fails validation because 'http_header' is first used for the second content check. It also fails because 'http_header' comes after 'distance' and 'nocase' for the second content check: alert tcp any any -> any any (content:User-agent; content:"mortest"; distance:1; nocase; http_header; sig_id:100020;)
Custom signature fails validation.
This occurs when either of the following conditions are true: -- http_header is used for a content check that is not the first content check. -- http_header is used after other content parameters, such as 'distance' and 'nocase'.
Use the following workarounds: -- Use 'http_header' for initial content checks. -- Use 'http_header' before other content attributes, such as 'distance' and 'nocase'.
Protocol Inspection no longer requires such unnecessarily restrictive constraints when using the http_header keyword.