upstream/suricata
1
0
Fork 0
mirror of https://github.com/OISF/suricata.git synced 2026-05-28 04:32:12 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

detect/replace: ban replace keyword for firewall

Browse source 
Ticket #8551
This commit is contained in:
Juliana Fajardini 2026-05-26 17:18:45 -03:00
parent c4378e6ca9
commit 997cddabac
2 changed files with 9 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/userguide/rules/payload-keywords.rst
View file

@ -912,6 +912,9 @@ the reassembled stream.
The checksums will be recalculated by Suricata and changed after the
replace keyword is being used.
.. note:: ``replace`` cannot be used in firewall rules, nor in firewall mode,
even if only in Threat Detection rules.
.. _pcre:
pcre (Perl Compatible Regular Expressions)

8
src/detect-replace.c
View file

@ -58,14 +58,18 @@ static int DetectReplacePostMatch(DetectEngineThreadCtx *det_ctx,
void DetectReplaceRegister (void)
{
sigmatch_table[DETECT_REPLACE].name = "replace";
sigmatch_table[DETECT_REPLACE].desc = "only to be used in IPS-mode. Change the following content into another";
sigmatch_table[DETECT_REPLACE].desc =
"only to be used in IPS-mode. Banned from firewall rules & firewall mode usage. Change "
"the following content into another";
sigmatch_table[DETECT_REPLACE].url = "/rules/payload-keywords.html#replace";
sigmatch_table[DETECT_REPLACE].Match = DetectReplacePostMatch;
sigmatch_table[DETECT_REPLACE].Setup = DetectReplaceSetup;
#ifdef UNITTESTS
sigmatch_table[DETECT_REPLACE].RegisterTests = DetectReplaceRegisterTests;
#endif
sigmatch_table[DETECT_REPLACE].flags = (SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION);
sigmatch_table[DETECT_REPLACE].flags =
(SIGMATCH_QUOTES_MANDATORY | SIGMATCH_HANDLE_NEGATION | SIGMATCH_BAN_FIREWALL_RULE |
SIGMATCH_BAN_FIREWALL_MODE);
}
static int DetectReplacePostMatch(DetectEngineThreadCtx *det_ctx,