From 997cddabac0cb0524b1ae637b8ac765c19093f57 Mon Sep 17 00:00:00 2001
From: Juliana Fajardini <jufajardini@oisf.net>
Date: Tue, 26 May 2026 17:18:45 -0300
Subject: [PATCH] detect/replace: ban replace keyword for firewall

Ticket #8551
---
 doc/userguide/rules/payload-keywords.rst | 3 +++
 src/detect-replace.c                     | 8 ++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/doc/userguide/rules/payload-keywords.rst b/doc/userguide/rules/payload-keywords.rst
index dff2fb09ce..65a5363d29 100644
--- a/doc/userguide/rules/payload-keywords.rst
+++ b/doc/userguide/rules/payload-keywords.rst
@@ -912,6 +912,9 @@ the reassembled stream.
 The checksums will be recalculated by Suricata and changed after the
 replace keyword is being used.
 
+.. note:: ``replace`` cannot be used in firewall rules, nor in firewall mode,
+   even if only in Threat Detection rules.
+
 .. _pcre:
 
 pcre (Perl Compatible Regular Expressions)
diff --git a/src/detect-replace.c b/src/detect-replace.c
index e5fb30fa6e..215112c07b 100644
--- a/src/detect-replace.c
+++ b/src/detect-replace.c
@@ -58,14 +58,18 @@ static int DetectReplacePostMatch(DetectEngineThreadCtx *det_ctx,
 void DetectReplaceRegister (void)
 {
     sigmatch_table[DETECT_REPLACE].name = "replace";
-    sigmatch_table[DETECT_REPLACE].desc = "only to be used in IPS-mode. Change the following content into another";
+    sigmatch_table[DETECT_REPLACE].desc =
+            "only to be used in IPS-mode. Banned from firewall rules & firewall mode usage. Change "
+            "the following content into another";
     sigmatch_table[DETECT_REPLACE].url = "/rules/payload-keywords.html#replace";
     sigmatch_table[DETECT_REPLACE].Match = DetectReplacePostMatch;
     sigmatch_table[DETECT_REPLACE].Setup = DetectReplaceSetup;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_REPLACE].RegisterTests = DetectReplaceRegisterTests;
 #endif
-    sigmatch_table[DETECT_REPLACE].flags = (SIGMATCH_QUOTES_MANDATORY|SIGMATCH_HANDLE_NEGATION);
+    sigmatch_table[DETECT_REPLACE].flags =
+            (SIGMATCH_QUOTES_MANDATORY | SIGMATCH_HANDLE_NEGATION | SIGMATCH_BAN_FIREWALL_RULE |
+                    SIGMATCH_BAN_FIREWALL_MODE);
 }
 
 static int DetectReplacePostMatch(DetectEngineThreadCtx *det_ctx,