Suricata 7 and newer now supports matching contents in multiple
buffers within the same transaction.
For example a single DNS transaction that has two queries in it:
query 1: example.net
query 2: something.com
Example rule:
..container:: example-rule
`alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"DNS Multiple Question Example Rule"; dns.query; content:"example"; dns.query; content:".com"; classtype:misc-activity; sid:1; rev:1;)`
Within the single DNS query transaction, there are two queries
and Suricata will set up two instances of a dns.query buffer.
The first ``dns.query`` buffer will look for content:"example";
The second ``dns.query`` buffer will look for content:".com";
The example rule will alert on the example query since all the
content matches are satisfied for the rule.
For matching multiple headers in HTTP2 traffic a rule using the
new functionality would look like:
..container:: example-rule
`alert http2 any any -> any any (msg:"HTTP2 Multiple Header Buffer Example"; flow:established,to_server; http.request_header; content:"method|3a 20|GET"; http.request_header; content:"authority|3a 20|example.com"; classtype:misc-activity; sid:1; rev:1;)`
With HTTP2 there are multiple headers seen in the same flow record.
We now have a way to write a rule in a more efficient way using the
multiple buffer capability.
**Note** Existing behavior when using sticky buffers still applies:
Example rule:
..container:: example-rule
`alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"DNS Query Sticky Buffer Classic Example Rule"; dns.query; content:"example"; content:".net"; classtype:misc-activity; sid:1; rev:1;)`
The above rule will alert on a single dns query containing
"example.net" or "example.domain.net" since the rule content
matches are within a single ``dns.query`` buffer and all
content match requirements of the rule are met.
**Note:** This is new behavior. In versions of Suricata prior to
version 7 multiple statements of the same sticky buffer did not
make a second instance of the buffer. For example:
